nmap -p - -T4 -A -v -Pn WAN-IP
Are you scanning your WAN address from inside your network or from the Internet over a different uplink?Scanning from inside will not work, respectively not give the correct and desired results. If e.g. SSH is allowed on LAN, scanning port 22 from LAN will result in "open", even if the target is "WAN address".
Please show the rules atFirewall > Rules > WANFirewall > NAT > Port forwarding
There's the OPNsense UI listening on 80, so with an allow rule in place a connect can happen.