When I try to ping an IP that has not been used before and in the LAN-part (10.96.25.128/25) from "upstream"/"outside", it gets logged on the pfsense as blocked by the firewall (which is OK in terms of fw-rules).
So the pfsense seems to take over traffic pointed to these IPs.
Could I modify NAT-rules maybe? Is that related to Outbound NAT? Could I somehow exclude
I requested a DNS-change from their network admins. If the new vms are located in the lower /25 things should work and I can go on with my actual work ;-)
(but I'd be happy to learn about the reasons for this behavior anyway)
EDIT: DNS-change requested, so I don't have to actually do something on the pfsense right now. Still interested, though. thanks all.