As a workaround you may set up an SNAT rule for the AP. Maybe that's what also the USG did. I've seen this also on a Fortigate.

Yes, you need a route on the client, but not static. The OpenVPN server can push the route to the client after the connection is established, when connection is closed the route is deleted again. To set this up go to the server settings and check "Redirect gateway". Ensure that there is an outbound NAT rule for the vpn tunnel subnet in place on pfSense with NAT address = WAN address.

Awesome! Thank you for your help! Now I just have to find out the IP Adresses for Steam and I'm fine :)

Yes. You can have VLANs on WAN going to an outside switch to two or more different providers. pfSense: vlan 100 vlan 101 Switch: tagged port vlans 100 and 101 to pfsense, untagged 100 to ISP 1 modem, untagged 101 port to ISP 2 modem. It will be functionally equivalent to having two different WAN interfaces. You will have to understand that powering off and on one of the modems won't trigger a DHCP renewal event on pfSense because the port will not go down from its perspective. You might have to release renew manually, etc, if that ever arises.

Ping works fine claims it's up but it is qos limited normally 14mbps now 0.5 Mbps

That would depend on the isp sure.. I know you can get a lowend vps for your vpn connection for like $15 a year..

That'll probably break your users' firewalls. If they send packets to xxx.xxx.xxx.xx1 and get a response from xxx.xxx.xxx.xx2, firewalls will block the response packet. Sounds like you need a CDN service or similar. I don't think pfSense can help you here.

Dear all . .. Its works for me . It was my mistake to give proper name to my router as same as a.example.com . Thank you all 44 Mems read this post

Pfsense shines as your edge router/firewall - if it couldn't route public or was something you shouldn't do pfsense would be pretty freaking useless ;)

pfsense out of the box does not use forwarding.. So you changed to using the forwarder?  Or have unbound in forward mode - where are you forwarding? Can pfsense lookup stuff?  ie use the diag, dns lookup. Can clients query pfsense dns for say pfsense fqdn?  If using unbound and your coming from downstream networks you will most likely have to adjust the ACLs to allow for the downstream networks.  If using the unbound auto rules it prob only added your local lan network to the ACL..

Thank you very much, it's work !  :)

So are you natting because you state those are public IP.. If you want to hit the rfc1918 on that other box you would need to have a tunnel vs just a forward from the public. So what vpn did you bring up.  What tunnel network did you use?  Where is your routing table?

I would think that unbound able to use outgoing your wans should all you should need.