@SteveITS From what I can tell, drivers are up to date.

Hi,

No need to go to http//whatever.on.the.internet.tld
Like Mercedes knows all about Mercedes cars, Netgate/pfSense knows all about pfSense : https://docs.netgate.com/pfsense/en/latest/nat/port-forward-troubleshooting.html

I would open my tool box, that is : clicking on " Diagnostics > Packet Capture" and set up for a capture on port 1194 and UDP (?) and start it.
Then, try to connect using your remote App.
Stop the capture.
Look at the result : something came actually into on your WAN (?) NIC on this 1194 port ?
If not : the problem is up stream : traffic didn't make it to pfSense.

Read the entire check list on the trouble shooting page : execute every step, and if you do not understand : ask.

"before using Pfsense I open NAT-DMZ on the router from WAN to local IP. " pfSEnse is not any different from any other router on planet Earth.
You have to create a NAT rule, using incoming port, outgoing (destination) port, a 'LAN' (DMZ) IP address and that's it.
But if 1) applies, and nothing comes in ... well yeah .... 1 explains 2.

"I have a program that does not work in the domain environmen" : I don't understand.
That's a typical user that describes an error.
Your are the network admin ? Start detailing what actually happens. We, from here, know nothing about your network / needs / setup.
Give details and we figure it out.

It is not the firewall. It must be the elastix server. Its default gateway must be 192.168.11.1.

Connections from LAN hosts to DMZ hosts are governed by rules on the LAN interface. You could make those connections with no rules at all on DMZ.

Vamos lá no passo a passo para eu não misturar na nada.

Do modem da Net (nesse você não mexe), está saindo o cabo da LAN para a WAN do pfsense, o qual recebe o ip (muito provavelmente) 192.168.0.100, certo?

Na LAN do seu pfsense você poderia mudar o ip para ficar uma classe diferente e não misturar as coisas, então vamos dizer que você vai colocar o ip 192.168.25.1. Beleza?

O seu segundo roteador, desconecta tudo dele, (dá até um reset se quiser). Liga o seu PC em qualquer porta LAN deste roteador, acessa as configurações dele. Muda o IP dele para 192.168.25.2 e depois desabilita a função de DHCP nele, você até vai perder o acesso quando ele reiniciar, porque como ele não está mais entregando IP seu note vai ficar sem, mas não tem problema.

Depois que ele reiniciar com essas duas configurações feitas, plugue o cabo da LAN do pfSense na porta LAN do roteador e o cabo do seu computador em outra LAN disponível do roteador. Assim você irá receber o IP do pfSense e poderá acessar a página de configuração do modem digitando o ip 192.168.25.2.

E pronto. (eu espero hahahahaha)

Yeah looks like your whited out a huge amount of rules?

Also even the rules can see make no sense

You have an any rule that says hey DMZ net if your NOT going to lan net your allowed. Well below that a rule that says blocking going to 192.168.2/24 which is Dev Net? Why would that not be allowed in the dmz to NOT lan net rule?

Do you have downstream networks other than dmz net connected... And then below another rules that says block dev net, is that not 192.168.2/24 that you already blocked above, etc.

Please do not hide rules if you want help.. Its very simple. Rules are evaluated top down as traffic enters an interface. If a rule matches it wins and no other rules are evaluated. So run through your rules from the top. To see if traffic should be allowed or blocked. If you have a rule that blocks before an allow - and your still seeing allowed traffic then you prob have to clear a state from before you created that rule.

As to that rule on top blocking - if this firewall then it should. But don't know about his states, nor what he has in the alias.