...screenshot of rule set... ... how did you check which rule worked?
Longer VersionMore accurately, the following order (still simplified) is found in the ruleset (Check /tmp/rules.debug): Outbound NAT rules Inbound NAT rules such as Port Forwards (including rdr pass and UPnP) NAT rules for the Load Balancing daemon (relayd) Rules dynamically received from RADIUS for IPsec and OpenVPN clients Internal automatic rules (pass and block for various items like lockout, snort, DHCP, etc.) User-defined rules: Rules defined on the floating tab Rules defined on interface group tabs (Including IPsec and OpenVPN) Rules defined on interface tabs (WAN, LAN, OPTx, etc) Automatic VPN rules