Rules not being matched as expected

Buckbeak

I'm having trouble with a new pfsense installation. My rules aren't being matched as I would expect them
to be. The default rule is being
triggered, even though it is farther down in the list and there are rules above the default rule that I would
expect to be matched, but aren't:

(bge0 is the LAN interface)

From pfctl -s rules -vv  :
@108 pass in quick on bge0 all flags S/SA keep state label "USER_RULE: catchall"
.
.
.
@115 block drop in log quick all label "Default deny rule"

A log entry:
pf: 710005 rule 115/0(match): block in on bge0: (tos 0x0, ttl 63, id
14015, offset 0, flags [DF], proto TCP (6), length 64) 10.x.y.z.80 >
72.30.xxx.xxx.54707: S, cksum 0xb09a (correct),
1222312383:1222312383(0) ack 2341411941 win 49232 <nop,nop,timestamp<br>12784312 1491842314,mss 1460,nop,wscale 0,nop,nop,sackOK>

The ip's on the inside (10.x.y.z) are not on the LAN subnet, but are
on other internal subnets that are being routed to pfsense. There are
static routes for the internal networks that point to the inside
router that pfsense is connected to.

So…. why is rule 115 getting matched and not 108?

I had the same thing happen on the WAN side too, no one can get to the
web server:

@55 pass in quick on bge1 inet proto tcp from any to 10.x.y.z port =
http flags S/SA keep state label "USER_RULE: web server"
.
.
.
@87 block drop in log quick on bge1 all label "USER_RULE: catchall"

Log:
pf: 054917 rule 87/0(match): block in on bge1: (tos 0x0, ttl 245, id
11247, offset 0, flags [none], proto TCP (6), length 40)
68.58.xx.xx.36288 > 10.x.y.z.80: R, cksum 0x5544 (correct), 0:0(0) win
0

10.x.y.z is setup as a 1:1 NAT.

Why is rule 55 not being matched?</nop,nop,timestamp<br>