ClassLink returns 403 due to state violations on 26.1.x (worked on 25.x)

[Maxwell]

I'm experiencing state tracking issues after upgrading from 25.x to 26.1.x that make ClassLink (educational portal) completely unusable, returning 403 Forbidden errors.

Environment:

   Hardware: Protectli fanless router
   OPNsense versions tested: 26.1.7_3 and 26.1.8_5 (both exhibit same issue)
   Last working version: 25.x series
   Network: Single WAN, 3 VLANs (LAN, VLAN10, VLAN20)
   Firewall optimization: Tested both Normal and Conservative

Problem: After upgrading to any 26.1.x version, ClassLink (login.classlink.com, launchpad.classlink.com) returns 403 Forbidden errors. Firewall logs show state violation blocks for ClassLink traffic on both IPv4 and IPv6.

Example log entries:

 VLAN10_LAN In TCP 192.168.10.50:53925 → 23.219.1.21:443
 block - Default deny / state violation rule

 VLAN10_LAN In IPv6 [fdb9:5629:...]:50583 → [2600:1402:...]:443
 block - Default deny / state violation rule

What I've tried (all unsuccessful):

  Conservative firewall optimization + reboot
  Resetting state table
  Disabling IPv6 on affected VLANs
  Adding IPv6 allow rules
  Creating sloppy state / no state rules for ClassLink
  Disabling NAT reflection
  Disabling Hostwatch automatic discovery
  Downgrading from 26.1.8_5 to 26.1.7_3 (same issue)

What works:

All other internet access functions normally
Accessing ClassLink via cellular hotspot (bypassing OPNsense) works
ClassLink worked perfectly on 25.x

Firewall rules verified:

Default allow rules present for all VLANs
Source port set to "*"
No conflicting deny rules

This appears to be related to the 26.1.x unified firewall system changes. Has anyone else experienced ClassLink issues on 26.1.x?