I was talking about the rules on pfSense, of course. As mentioned, such traffic must not be handled by floating rules. I don't know if you've set up some. You may also do a workaround with an SNAT rule for that traffic on the Debian system to get the routing work. But maybe that's not the best solution.