pfSense

1. Start a continuous ping to a public address from a device behind the LAN.
   

   # On the PC: ping 213.246.63.45 -t
   Pinging 213.246.63.45 with 32 bytes of data:
   Reply from 213.246.63.45: bytes=32 time=151ms TTL=49
   [...]
   
   # On the firewall: pfctl -vvss | grep -A2 213.246.63.45
   igc0.5 icmp 213.246.63.45:8 <- 10.0.5.50:1       0:0
      age 00:02:10, expires in 00:00:09, 129:128 pkts, 7740:7680 bytes, rule 899
      id: 303fc86700000000 creatorid: dc608246 route-to: 192.168.100.1@igc3
   igc3 icmp 192.168.100.2:1 (10.0.5.50:1) -> 213.246.63.45:8       0:0
      age 00:02:10, expires in 00:00:09, 129:128 pkts, 7740:7680 bytes, rule 154, allow-opts
      id: 313fc86700000000 creatorid: dc608246 route-to: 192.168.100.1@igc3
   

2. Go to Diagnostics > States, filter for the post-NAT address (in this case 192.168.100.2) and click Kill States.
3. States using the filtered address remain. Running the same pfctl command shows the state was not reset given its age.
   

   igc0.5 icmp 213.246.63.45:8 <- 10.0.5.50:1       0:0
      age 00:02:45, expires in 00:00:09, 163:163 pkts, 9780:9780 bytes, rule 899
      id: 303fc86700000000 creatorid: dc608246 route-to: 192.168.100.1@igc3
   igc3 icmp 192.168.100.2:1 (10.0.5.50:1) -> 213.246.63.45:8       0:0
      age 00:02:45, expires in 00:00:09, 163:163 pkts, 9780:9780 bytes, rule 154, allow-opts
      id: 313fc86700000000 creatorid: dc608246 route-to: 192.168.100.1@igc3
   

Tested on 24.03, 24.11, and dev snapshots.