It was a known bug in the 7.x firmwares, that when upgrading from 6.x to certain 7.x verisons,
NAT port forwarding rules were messed up (in our cases: source zone was openvpn, then was turned to WAN?.)
This was fixed in the latest 7.4.x versions - it was even mentioned in the release notes.
Now, the bug is back when I upgraded from 6.9.5 to 7.5 directly.
Beware: In the overview of Port Forwards, it says source zone: openvpn, only when editing you see source zone is acutylly LAN.