Symptoms of this problem are that for the system designated as DMZ+, anything that tries to create more than a few TCP connections per second (e.g. http, https) to the same server will be blocked and fail to work. ICMP and UDP based services will generally continue to work, so you'll be able to resolve hostnames and ping. TCP based services that use a single connection will generally also continue to work (e.g. ssh). If you look in your firewall log on the 5268's web interface, you will see a large number of entries ending with "TCP FLOOD" corresponding to all the blocked connections.
The bad firmware version is 11.3.x.x; you can check your firmware version from the web interface at Settings | System Info | Status | Software Version.
Fortunately there is a newer version of the firmware available (11.4.x.x) that fixes the DMZ+ issues. https://www.dslreports.com/forum/r32412 ... ~start=206 explains how to manually upgrade to 11.4.x.x firmware.
AT&T seems to be currently actively pushing out the 11.3.x.x firmware -- I was auto updated yesterday mid-day. Why are they forcing an update to a firmware version that has a major known bug? Perhaps best not to ponder; that way lies madness.
Anyway, Sonic tech support seemed completely unaware of any of these issues when I called last night, so posting here in the hopes that I may save someone else a wasted night of debugging weird connectivity issues and searching the web.