Unbeknownst to me (because of a lack of verification caused by trusting in the process), I had zero traffic coming through pfSense. I don't have that much anyway.
My box lost the hard drive. I found a config file from a few months back and after installing pfSense onto the new hard drive, loaded that config file using Restore on the webGUI.
Since that backup was saved, the nic cards got swapped around just a bit. (Having loads of Watchdog Timeouts on em0:WAN, so moved WAN to fxp1 and moved OPT1 to em0, but never connected the cable to that nic.)
So, pfSense said the interfaces needed to be re-assigned. Which I did. That was a couple of weeks ago. Recently I got a call from a friend saying my server was not reachable.
Examining the various webGUI screens, I discovered that, oddly, nothing was in the NAT: Port Forward page.
I saved off a another config file from Backup on the webGUI and made a comparison of that with the config file I used to restore. I found the expected differences, but also found the entire <nat> block was missing from the current config file.
Is there a decision made during the parsing of a config file that would cause pfSense to completely abandon the <nat> block if some aspect of the hardware installation didn't match up with the config?
Anyway, I pasted in the <nat> block to the recent config file and reloaded the config file.
It's all good now.