I tried remove my DMZ-DMZ rule and changed my gateway to “default” instead of “WAN_PPPOE”, it works fine.
I, sort of, understand how this works now, but still need to capture some packets to prove.
Because I used VPN client via my VPn provider’s gateway for major traffic for privacy purposes and that VPn client will inject 0.0.0.0/1 and 22.214.171.124/1 to suck all traffic on vpn tunnel. If I didn’t use this “explicit” gateway to “WAN”, it will route this traffic to “default” on router and to VPN tunnel. This is why I used this DMZ-net—DMZ net and with default to WAN GATEWAy for at very beginning.
Now, I am using three vpn client as load-balance and fail-over, I had to block them ‘injecting’ those two routes; so, I can solely rely on “rules” to redirect traffic either to VPN or to WAN. This is why it worked if I set up as yours with not DMZ-net—DMZ net rule and default gateway.
THanks for helping out… I would want try one more time late with OpnSense… The only different setting between pfsense and opnSense is that I used DNS forwarder for pfsense and DNS resolver for opnsense… I am not sure whether that makes diff behaviour…