The firewall- and forwarding-rules are deleted whenever the DHCP-lease from you ISP is renewed/changed. When this happens, the /usr/local/sbin/post-firewall script will be run by the router.
You'll have to create the script if it doesn't exist and make it executable with 'chmod +x /usr/local/sbin/post-firewall'