This got resolved by having the ISP configure /25 at their end and we advertising /25.

@marcus_1302

btw. just saw that even when you set the upstream gateway on the WAN interface, you can prevent pfSense from adding a reply-to userrule.

Under System - Advanced - Firewall & Nat there is a checkbox

Disable reply-to on WAN rules

With Multi-WAN it is generally desired to ensure traffic leaves the same interface it arrives on, hence reply-to is added automatically by default. When using bridging, this behavior must be disabled if the WAN gateway IP is different from the gateway IP of the hosts behind the bridged interface.

In hq are you sure you have two lans? They overlapp. (/16) and are rather big.
Yes, you can send specific traffic to specific gw with policy routing.
As for the return packets, at remote site lan you also need to have some policy routing so packets return the same way.
You can do it at the ospf level, but it is starting to get complicated.

I would eliminate ospf altogheter, direct connect two pf at sites and do assymetric load balance for the two links.

Sorry, but I don't get it An sd wan, a cloud in the middle and suddenly a vpn tunnel across the cloud???
It might work, but it doesn't feel right as a concept.
If you need firewalling, why the sdwan is not doing it?

It seems you have an authority issue to solve, not a technical one.

Or:
https://administrator.de/wissen/openvpn-server-installieren-pfsense-firewall-mikrotik-dd-wrt-gl-inet-router-123285.html#toc-7
Google Translator maybe your friend here... ;-)

@viragomann
Thank you for your answer.
My bad: I meant the 172.30.192.0 network.
My problem is I can't connect the LAN to the internet from Firewall B.
Thanks.

@jimp Ah yes, I do remember reading about binding to localhost for dual WAN OpenVPN setups. Thanks for the info, it's great to have such a knowledgeable and helpfull community.

Tried adding the second GIF, it brought the HE link down. The Gateway status only showed one HE.
Removed the extra GIF to restore normal operation.
Thanks

i have bind9 dns server configured with internal/external view on my locations, i just permit only my internal dns server and block everything else,

Well, by design pfsense dpinger and related routing table updates of bsd won't let you use the same ip address. A routing table for specific IP is just that: it allows an exit on a specific interface. If you connect to your vpn provider through different servers , a new gateway is created for each connection . Also, If your provider happen to give you the same IP for 2 or more connections , it might be game over conflict for connectivity tests and maybe gateway status. The solution to your problem is not to monitor the vpn gateway ip which is the same on every server , except the first connection, but choose a well known ip , e.g 1.1.1.1 or 8.8.8.8 as monitor IP for each vpn gateway. If you need to compare vpn connections , it will not be a stable basis for comparisson , as the external ip will have longer ping times by a 25% margin approx. I understand your concern from a paranoid security point of view, as pinging a vpn gateway does not leave any traceable exposure on vpn exits for your pings..where advanced adversaries might interfere with..
The limit of monitoring with a single IP the connection status tries to tackle a new advanced plugin which is under development for the time being..Since then, try, to diferentiate your monitor IPs for each gateway manually..

Took you since june to do that? ;) This is connection is via a transit network I hope, you don't have hosts on the network your using to connect to your downstream?

No. DHCP on LAN is enabled by default and all traffic from LAN clients is passed by default. Hard to say what you might have done wrong with the information available.