It is a bug? I dont think so. FreeBSD kernel just drop packet with bad checksum. This is problem with NAT.
So, maybe will be ignoring checksum nice to have feature, but in this case you must manualy put registry key in to windows :
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent
AssumeUDPEncapsulationContextOnSendRule dword:2
And you cant be sure, that will working another devices (iOS, android with specific version, MacOSX etc.).
So, I surrende and I will have public IP directly on pfSense.
Max
PS: I think, that many people use pfSense for IPSEC (IPSEC working very nice behind NAT) and many people know NAT problems, so I think that many users use public IP on pfSense