By default, pfSense rewrites the source port on all outgoing packets. Many operating systems do a poor job of source port randomization, if they do it at all. This makes IP spoofing easier, and makes it possible to fingerprint hosts behind the firewall from their outbound traffic. Rewriting the source port eliminates these potential (but unlikely) security vulnerabilities.
However, this breaks some applications. There are built in rules when Advanced Outbound NAT is disabled that don't do this for UDP 500 (ISAKMP for IPsec VPN traffic) this traffic will almost always be broken by rewriting the source port.
Note that 1.2.3 and older releases will not rewrite the source port on SIP, UDP 5060 traffic, by default though 2.0 and newer do. If problems with handsets are encountered on an older release, upgrade to a current version of pfSense or manually adjust the outbound NAT rules.
Other protocols may be used, such as some games, that do not work properly when the source port gets rewritten. To disable this functionality, the static port option must be used on outbound NAT rules.
Now connections from that device will have their source port retained.