Some protocols need more than one TCP or UDP connection. For NAT to work the firewall needs to open additional ports to allow client server connection automatically. Examples are FTP (port 21 handshake, additional ports for data), PPTP (port 1723 for handshake, proto GRE 47 for payload)
Since Linux kernel (~) 4.7 these helpers are not bound automatically to iptables for security reasons. The idea is to implement iptables rules to activate connection helpers explicitly. Just loading the helper module is not enough.
To change this to the old behavior you can add this to your startup (for example /etc/rc.local)
# echo 1 > /proc/sys/net/netfilter/nf_conntrack_helper