Why do you care if DNS leaks to the other subnet? WTF are you worried about exactly? Say you have external, global DNS that has an A record of 65.65.65.65 for www.mycoolsite.com.  Your internal DNS has an A record of 192.168.123.20 for www.mycoolsite.com. You want ALL internal (Not NAT) hosts to get 192.168.123.20 when they ask for the address of www.mycoolsite.com. You want all external hosts to get 65.65.65.65. Whether or not the users on 192.168.0.0/24 can access the services on 192.168.123.20 is handled by firewall rules on the 192.168.0.0/24 interface, not DNS. If you REALLY want to make DNS answers different for clients on 192.168.0.0/24 and 192.168.123.0/24 you are probably looking at BIND and views. I, personally, would use a VM for that, not the BIND package, but people tend to contract a brain virus that makes them try to make pfSense do absolutely everything. If you stop blaming pfSense you might get your network configured properly. This stuff just works when you do it right. It doesn't pass traffic one minute but not another just because it feels like it - something was changed.

do you have more than 1 public IP from your isp?  Carp is how its normally done https://doc.pfsense.org/index.php/Configuring_pfSense_Hardware_Redundancy_%28CARP%29

Thanks! that did it!. I thought the switch will do it "automatically" since the gateway on its configuration is set to the pfsense IP.

Verizon uses extra security and you can't go swapping devices around I have found. ATT doesn't seem to lock their SIM to a machine like Verizon. Have you had the device 'online' in another computer??? If so you will have to call customer support and hope you reach the right person. The device might be portable but their service is not. This is just a guess as I had issues testing with Sierra MC7750 and Verizon. Your PPP Log looks good except for hangup. External devices might be a better bet. The hockeypuck shows up like a usb ethernet device so you might see better speeds than PPP/MPD5. I hate to advocate against modems but Verizon SIM/Device management adds a layer of complexity.

@pwndealer: Thanks a lot for all your help with sharing all this info mate, really, much appreciated. :) Glad to be of assistance  :D

@pahowart: Creating a firewall for each LAN Interface and set the desired Gateway (Internet connection) under the advanced section of the firewall rule. So every rule has to be touched and modified… ouch. Thanks everyone for the input

Why would anyone do this?? More an more I think there should be a basic networking test before you are allowed to install pfsense ;) hehehe Maybe something like a license key.. You have to take a test online, if you pass then you get a key…

It's not a good design. But the reason a ping first works is almost certainly because it makes the host pick up the ICMP redirect, then when you try the TCP connection, it routes it directly accordingly.

You will also need a static route at Juniper to direct VPN tunnel subnet to pfSense LAN address. Further you have to add a firewall rule to pfSense LAN interface to allow access to VPN subnet.

loadbalancing doesn't (always) combine the speed of both connections. it just "switches" / balances between the individual connections. the annoying part is just how it works, you can reduce this behavior by enabling 'sticky connections' in System: Advanced: Miscellaneous

Dude lets do some basics here.. Lets do so basics.. this really should be clickity clickity.. I have been running pfsense on esxi since version 5 of esxi and has always just been clickity clickity to get it working.. So your physical network is 192.168.0.0/24 so connect pfsense wan to this network.. Then on your new vswitch be it d or just standard connect your pfsense lan interface..  Lets use say 192.168.2.0/24 since you have not mentioned this network.  Put a vm in this same vswitch and it should get an IP address from pfsense dhcp server..  If it doesn't then you got something wrong. Once you have wan/lan working.. You know have your isolated network..  Once you have it working with NAT, and your clients can get to your wan… Then you can turn worry about turning off nat if you want.. Again keep in mind pfsense 2.2 is NOT supported by your OLD as the hills version of esxi..  Your not installing the vmware tools are you??

Any ideas?

Ok, If I Double NAT the performance issue goes away.  I guess that means it is an asymmetric routing problem.  I explicitly added a gateway to the VPNNEWARK rule, forcing traffic back to 10.21.101.2, but it didn't make a difference and everything still didn't work.

getting a faster subscription would probably be a better option. that or using a tranfer protocol that supports multiple streams Hi Heper, thanks for helping. Unfortunately faster connection isn't possible as there's only 1 service provider in that area and only ADSL. U mentioned using a transfer protocol for multiple streams, I'm sorry could you explain that? I'll see if that could be a possibility. Another option I think would be possible is to have a 3g connection as WAN2, but since it's a metered connection, could I (a. make sure dvr only uses 3g WAN and b. Make sure only DVR uses 3g WAN)? Really appreciate your help

Its just a simple webserver for our personal sites. We are using the ips for a few different reasons such as ssl certs and so on. We are just hung up on this one issue. In DDwrt we were able to achieve this via code but it was a pain in the behind so we switched and Pfsense was what was recommended, we were told it is better and easier to use. Thanks.