Hi,
The default firewall rule present on LAN will handle the job : pass all.
I'm not using any Google tools myself (except their mail services) but I guess "Chrome Remote Desktop" works the same way as "TeamViewer" : there is no need to setup something on your router. There is nothing that says you have to "NAT" something on your router.
Which is quiet logic because Google want to see all the information you see, so all info passes by THEIR servers fist. This means that both app on both sides connects to a central Google server, which means that both devices - the controller and the "controlled one" make outbound connections only, which means pfSense is set up by default just fine.