Today I converted my mail server to dualstack and therefore added the IPv6 address to the alias in the WAN rule. However, no tcp handshake was established (the syn-ack couldnt "get out").
After several hours of searching, I recreated the exact same rule and suddenly it worked.
How can this happen?
See Firewall - Diagnostics - States - Actions.
I even rebooted the machine without luck. If it was a state issue the reboot should have solved it.