Hi @chpalmer,
You were right; the problem was an incorrect gateway configuration on the webserver.

Thanks again!

@samto I found a root cause of the problem. It is well described here: https://www.everythingcli.org/ssh-tunnelling-for-fun-and-profit-tunnel-options/

So, the combination ssh -f -T -N -R works fine

Voila (quelques) infos ...

On voit qu'il y a 2 machines qui doivent faire du NAT :

le Microtik, situé ente 2 réseaux distincts, le pfsense , situé entre 2 réseaux distincts.

Donc double NAT à réaliser, ou plutôt, 2 machines avec chacune son réglage de NAT (Port forward).

Certains préfèrent un simple 'modem' (ou bridge) devant pfSense, ainsi pfSense a l'ip publique et il n'y a qu'un réglage de NAT à réaliser.

Certaines Box ont une définition de 'dmz' : tout trafic internet en renvoyé (=Port forward) vers le WAN du pfSense, il ne reste que le réglage du pfSense.

You are 100% correct sir! That was the problem indeed, thanks for pointing that out!

Which VPN service are you using? Almost all mainstream providers offer a split tunneling feature that allows you to choose which data to send through the VPN and which not. I use PureVPN but many others like ExpressVPN offer the same with their apps.

@JKnott
It is unusual, but it's the standard Comcast setup when you have a business account with static public IPs. For residential, or lower-tier business accounts, you get a dynamic public IP. I'm talking about v4, but they are now providing a static v6 block with the v4, and a residential user gets a dynamic /60.

@Gertjan shodan.io is a service that scans the internet for known exposure and for vulnerabilities

i remember you are french, so I link you here a video in French on the subject https://youtu.be/SxjmOFBtsvk

Closing this. Thanks for pointing me into the direction of testing the Ping on the CARP VIP. That ended up being the issue. Turns out somehow ISP took back one of our 3 IPs, we got them to put it back on our account and now we are back to normal. Can ping off that CARP VIP as well as port forwarding works now using the CARP VIP as Destination Address.

Thanks again @Derelict