pfSense

First, this is using invalid actions, so this is not so critical, but doing so will result in denial of service.

--SETUP--
I start with 3 interfaces + 1 VPN interface.
WAN -> em0 -> 192.168.10.66/24
LAN -> le1 -> 192.168.1.1/24
MGMT -> le0 -> 192.168.20.66/24
VPN -> ovpnc1 -> <VPN interface IP>

So, basic setup with traffic from LAN is NATted to VPN. Everything working fine as initial condition.

--PROBLEM--
If I create a port forwarding rule (So VPN traffic on port 1234 get forwarded), but I select an invalid (user make a mistake) IP address to forward to, and set for example destination as 192.168.0.123 (mistakenly typed instead of 192.168.1.123), and apply, then the rules somehow get trashed and the firewall no longer respond.

Sometime this happen after deleting the above NAT rule.

For example, with initial setup, add port forward rule:
- Interface: VPN
- Destination: VPN address
- Dest port: 1234~1234
- Redirect target IP: 192.168.0.123
- Redirect target port: 1234
- Description: ...
- Filter rule association: Add associated filter rule
- Save, Apply.

If the firewall is still accessible, delete the NAT rule you created.

When the issue occurs, all traffic on the firewall is blocked. Only the console is available. If you disable packet filtering (pfctl -d), the the firewall is reachable, but as soon as filtering is re-enabled, traffic stop. This condition persist until reboot.