this may be attributed to NAT reflection not being enabled on all configurations.
The clients checks itself by connecting to the outside port it forwarded and see if it works. eMule has some KAD network issues with this UDP port forward as well. So yes, it would actually work from the outside. But testing from the inside would/could fail.
Starting with version 2 a user manager will be included for administration. That one will be a lot more fine grained. So after 2.0 is released we can do something with this.
Release schedule for 2.0 is currently quite uknown.
See http://cvstrac.pfsense.com/tktview?tn=1138,6 for how to setup a workaround rule for this problem. At least for natreflection this should work for 1.0.1 without this rule but you will need it for ftphelper anyway so it won't hurt ;)
You have to disable the antilogout rule at lan (system>advanced) which grants access to the lan IP of the pfsense. This rule is in place to make sure you don't log yourself out from the administration. Beware that disabling that rule might log you out if you have incorrect rules at LAN, so verify your settings before applying a new ruleset.
Port 67 is the port a bootp/dhcp server listens on, port 68 is the port the DHCP server
sends out information on. So there is a DHCP server on your WAN. These things tend to spew a lot of packets. Very annoying.
I dropped all of the Gateways but still cannot connect to the WAN from my host on the OPT1 network. I can connect from my LAN to the host on the OPT1 network.