ICMP responses for some IP-addresses are not propagated to LAN interface

Rogach

Not sure that it's the right subforum, but the problem looks NAT-related. Here's my problem:

ICMP requests (to 8.8.8.8) come from LAN interface, leave from WAN interface, response comes to WAN interface, but the corresponding packet doesn't appear on LAN interface.

pfSense version: 2.5.0-RELEASE

Here's the tcpdump sample from LAN:

00:56:34.120561 IP 192.168.120.120 > 1.1.1.1: ICMP echo request, id 19, seq 37, length 64
00:56:35.144625 IP 192.168.120.120 > 1.1.1.1: ICMP echo request, id 19, seq 38, length 64
00:56:36.168579 IP 192.168.120.120 > 1.1.1.1: ICMP echo request, id 19, seq 39, length 64

And here's tcpdump sample from WAN:

00:56:36.501079 IP 6.7.8.9 > 1.1.1.1: ICMP echo request, id 6313, seq 12531, length 9
00:56:36.564018 IP 1.1.1.1 > 6.7.8.9: ICMP echo reply, id 6313, seq 12531, length 9
00:56:37.006353 IP 6.7.8.9 > 1.1.1.1: ICMP echo request, id 6313, seq 12532, length 9
00:56:37.069395 IP 1.1.1.1 > 6.7.8.9: ICMP echo reply, id 6313, seq 12532, length 9

Extract from pftop:

icmp      In  192.168.120.120:19     1.1.1.1:19           0:0        00:01:58  00:00:10      232    19488
icmp      Out 6.7.8.9:32752              1.1.1.1:32752    0:0        00:01:58  00:00:10      232    19488

I also noticed that this problem does not manifest for all ip-addresses - for example, 1.0.0.1 works fine.

I'm using autogenerated outbound NAT rules, they appear to be okay - they include 192.168.120.120 (ping source machine) for the WAN interface.

I have a gateway group set up (for failover), the primary interface (currently shown as active) is WAN.
I also have a catch-all rule in LAN Firewall rules that sends all packets to Failover gateway group.

What could cause such behaviour? Where should I look to debug this?