You probably need an “allow established rule” not familiar with the interface youre using so i cant guide you mich further than that
homelab
Ah, would this be a separate rule, or (as I’m using Ubiquiti) I could check “established” and/or “related” on either the allow or block rule?
It probably causes all traffic that would be NAT'd out now gets a port forward which breaks the connection because it treats the returning SYN as a new connection which creates a new port mapping that's incompatible with the original outgoing SYN, and it fails.
Try allowing all ports <10000 or something like that, you'll likely observe it works again.
You need to allow all established traffic before the any rules without further processing, or at least that's how it is with iptables. No idea what interface that is but if it's OpenWRT, it does become iptables under the hood.
When you make an outgoing connections, its source is a random local port in the 30000+ range or something like that, and when the remote server replies, it replies back on that port. But if your rules then treat the response to that port as a port forward rule, it won't reach the NAT rule that would remangle the packet in the correct way to preserve the connection.
So, server wants to go out and uses port 33333, router NATs it and rewrites it as outgoing from your public IP from say, 44444, then the remote server replies back, and the router just sends the 44444 to your server as-is because port forward, and your server's like, I don't know anyone interested in port 44444 and drops it, while the client is waiting on port 33333 to hear back and never does, until it times out.
In iptables terms, that's what --cstate ESTABLISHED,RELATED
handles and why you see it in NAT examples.
Are you able to, say, wget 1.1.1.1?
Maybe it's just DNS, since it's UDP based there is no state, although some firewalls do detect requests and treat it as pseudo-stateful.