@viragomann @jimp

LANRuleFailure.JPG

I modified the LAN rule to use aliases that were not subject to any security settings but passed traffic to the correct gateway. Then I copied the LAN rule, made it a block rule and changed the gateway to the gateway we don't want that traffic to exit on.
RESULT: Traffic still passes to the wrong gateway.

Then I switched the order of the rules. Traffic was unchanged. The packet captures still show the traffic flowing from LAN to W-mpls instead of being blocked or flowing to C-ens.

Nothing is logged for these connections. I think I found a bug.

@regilayt filezilla ftp server is free.

Clearly your packets being sent to the box, most likely a firewall issue. Since you can see traffic being sent to this .131 IP

You running any other security software on the box. Firewalls quite often will allow local network, and block remote networks, etc.

So your using pure nat, so guess what the source is when you come from local network and hit your wan IP..

purenat.jpg

Firewall most likely would allow that since the source is local.. I hit my wan IP from my 192.168.9.100 box, with a port forward set to send that to my 192.168.9.10 box.. See the sniff on my lan interface sees the traffic to my wan IP, and then look how it sends it on to the 192.168.9.10, the source is my .100 address.

I have nothing listening on my 9.10 on port 50022, just wanted to show you what happens with a pure nat, to why that would be working, but might not work from a remote IP since quite possible a firewall is blocking it. Here is the thing your seeing the traffic sent to the .131, its not a pfsense problem if you do not get a response..