We've got an 'allow anything' on the LAN interface (VLAN 10) and an 'allow anything' rule on the IPSEC interface on pfSense. If I do a tcpdump on enc0 and ping a host on the LAN subnet from the other end of the ipsec tunnell (10.1.1.0/24), I see the incoming ping request, and the outgoing ping response, but the remote network never receives the packet. I've also checked the filters on the remote linksys router, and I'm not having much luck. We've even tried dropping the filters on the remote end entirely, and still no response.
In my initial look at the state table I wasn't quick enough. An initial attempt to go directly to the host w/o involving NAT happens, and then after some time, NAT gets involved. I also have the system logging all blocked packets, and I don't see any blocks of my ICMP packets being logged.
If I see the incoming request, and the pinged host's response on enc0, that seems to indicate that the filters on pfSense aren't in play, unless the outbound ping response is getting filtered out somewhere and I'm just not finding it. I've got the exact same setup working on v1.0.1, so I'm really not sure why this isn't working on the new version. Has the handling of packets destined to IPSEC tunnels changed in 1.2 beyond the IPSEC interface filters? I'm really baffled by this one….
Thanks again for any insight you can offer on this one.