Problem solved.  8)
I have now used a Bridge between the WAN and NIC4 interface.

The Bridge i have named "DMZ_Bridge" and set connection type "none"
Nic4 interface, i have named "DMZ" with connection type "none"
Only the WAN interface has a connection type "DHCP".

Under firewall rules, i added "any pass rule" for the DMZ and DMZ_Bridge interface.
For both, i unchecked the option "Block Private Networks" and "Block Bogon Networks".

I then added block rules between the DMZ interface and other LAN's.

Greetz
DeLorean

What is the model of your AP?

Well, the TASK is simple…  Ping this IP, from this interface, using this route, and output the return time and loss here.  That's simple enough I can do the majority, if not all, of it in a DOS script.  Hopefully 2.3 has de-complicated whatever apinger did in <2.3 such that the complexity of the process matches the (lack of) complexity of the task.  ;)

Thanks for the pointer to services.inc.  I'll have to take a look at that.

Updated my device and have some more settings now.

OK ati Manufacturer: Sierra Wireless, Incorporated Model: MC7700 Revision: SWI9200X_03.05.29.03ap r6485 CNSHZ-ED-XP0031 2014/12/02 17:53:15 IMEI: 01262600105xxxx IMEI SV: 23 FSN: CDC1373192710 3GPP Release 8 +GCAP: +CGSM OK at!custom=? !CUSTOM:             "MEPLOCK"             "NOROAM"             "NOGPRS"             "PUKPRMPT"             "MEPCODE"             "NOAUTOC"             "ADVPROF"             "ISVOICEN"             "DISPLDUN"             "DATADISP"             "SCANPROF"             "DISSTACK"             "HSDPATEST"             "CSPMANDIS"             "STKUIEN"             "ATINDMASK"             "PRLREGION"             "PCSCDISABLE"             "DISFDNPDPCHK"             "HPPLMNSCDIS"             "GPSENABLE"             "CSDOFF"             "OSPWWANENABLE"             "AUTONETWORKMODE"             "SWOCENABLE"             "HSICON"             "STARTLPM"             "USBMSENABLE"             "CSVOICEREJECT"             "CUSTOMER"             "WAPPUSHDATA"             "USBDMDISABLE"             "SIMLPM"             "CPASCWRINGIND"             "TRUFLOWDISABLE"             "USBSERIALENABLE"             "WIN7MBOPTIONS"             "GPSLPM"             "GPSREFLOC"             "DHCP6ENABLE"             "RDENABLE"             "GPSSEL"             "BBENABLE"             "WIND"             "PCNOTIFY"             "CMCLIENT"             "ROAMRATDIS"             "SINGLEAPNSWITCH"             "WAKEHOSTEN"             "CFUNPERSISTEN"             "MIMOCAPEN"             "RRCREL7CAPDIS"             "GPIOSARENABLE"             "WIN8OOSACT"             "LTESMS"             "DHCPRELAYENABLE" OK

How is the pfsense box connected to the wireless AP? Does it run through a separate switch or is it directly connected to the pfsense box?

If it is connected through a switch, the switch will need to be Layer-2 capable.

If connected directly to the  pfSense then you won't need a Layer-2 switch.

I've created separate VLANs on a wireless AP running DD-WRT, but haven't had any experience with Tomato. I assume the fundamental basics will be similar.

You'll need to decide what ID you want for each of the VLANs. It's not recommended to use VLAN 1 (which is the default), and if Tomato is similar to DDWRT you may be restricted to VLANs between 1 and 20.

When playing around with the configuration of VLANs it's very easy to lose network connectivity to your pfSense or wireless AP. Therefore, make sure you always have access to the console on pfSense and know how to revert the configuration back if required via the console. Likewise on your wireless AP, make sure you always have one port which is set to the old VLAN so if it doesn't work you can plug your computer into that port and still access Tomato. Only switch everything over completely once you've tested that it all works.

On your wireless AP you'll need to create your home network VLAN and assign it to the ports on the AP and the APs CPU port. Make sure the CPU port and the port which the pfSense box connects to on the AP are nominated as tagged ports. All other ports should be untagged.  Make sure the home VLAN is assigned to the LAN network on the switch. This may happen automatically, or you may need to specify it. You may also need to manually create a bridge between the home VLAN and LAN network on your wireless AP. You will lose connectivity from your wireless AP to pfSense at this point, so make sure you have a plan B if you need to google any trouble shooting information.

At this stage you'll need to connect a PC directly to the pfsense box to access the web gui. Create a the VLANs for you home and guest network in pfSense and then assign the LAN interface to the home VLAN. At this stage you will lose connectivity to pfsense. Plug the pfsense box into the Wireless AP on the tagged port and you should be able to access pfsense and the internet on the home VLAN. Next assign the guest VLAN to the guest interface in pfSense.

Finally create the guest VLAN on your AP. Assign the guest VLAN to CPU and pfSense ports on your wireless AP (these should still be tagged). You will then need to create a bridge on the wireless AP to connect your guest WLAN to your Guest VLAN, and ensure they are not bridged to the LAN of home LAN.  Provided you have your firewall rules configured correctly you should have connectivity through your guest SSID. If everything is working you can change the final port on you wireless AP to the home VLAN.

Never mind worked it out.

In my rule for OVPNS2 of allow all to destination all I had forced the gateway to be OVPNS instead of default, aka system routing table. This meant I was rerouting packets back out through the existing gateway and not letting pfSense handle the routing.

Thanks all!

Yes, it is now working.

Thanks everyone!

Is this okay? Sorry I am noob.

Network.jpg
Network.jpg_thumb

Okay. Thanx for clearing up.

No. There is no way for rules to distinguish "upload" vs "download" all they see are connections, not which end of the connection is sending more traffic than the other. Plus each WAN has different IP addresses, so you can't have half a connection go out one IP address and the other half come back to a different IP address.

OK, thank you.

However, we do want PBR on LAN1 and actually that was our main reason for going with pfSense because we also have a VPN set up so that if P2P Wireless goes down, there is still communication between the LANs

The VPN connection turns on and off automatically depending on the status of the P2P Wireless connection.

When we lost Internet at WAN1, pfSense marked the P2P Gateway as down and routed traffic out WAN2. So LAN1 was trying to communicate over VPN, but since P2P wireless was actually still up the VPN was not turned on.

So maybe on pfSense we need two separate policies, one for loss of Internet and one for loss of P2P wireless, but I don't know if this is possible.

@Derelict:

Right. And I am in no mood to write up exactly how to configure all that for someone who apparently doesn't know the difference between tagged and untagged switch ports.

I hate to be harsh, but no. Maybe someone else.

thank you for your answer,
the issue here is not knowing the different between tag and untag is the explanation .
hopefully someone can be kind and help me here out .

i basically stopped reading at "Bridged with OPT1'

anyways, no, nobody will know what you might be missing ;)
please provide detailled schematics, what is is you wish to do, what you have tried, screenshots of everything that is related.