In my experience blocking 6881-6999 will help in most cases. A more effective solution involves squid. Look at one of the squid threads for my suggestion of this feature.
This is the same problem like here: http://forum.pfsense.org/index.php?topic=293.0
You have to use advanced outbound nat to create additional nat mappings for the internal networks pfsense doesn't see directly (in the webgui at Firewall>NAT, outbound tab).
Also make sure you have all routes setup accordingly.
Also, if you are using the Squid proxy package, all website accesses are tracked in /var/squid/logs/access.log. If you use authentication, the username will exist in this log as well. A GUI log viewer is in the works. Thanks!
Final update, I got it to work by switching to external port 6360, randomly picked off a chart of assigned ports. If anyone has similar problems, feel free to PM me and I'll help you through it. Thanks again everyone!
If you have DHCP on WAN you can change your destination IP of that rule to any. Unless you forward the webguiport to anything else you are protected by the NAT ;-)
Did you check the "autocreate firewall rule" at the bottom of the page when creating the portforward? This is importent as it won't pass your WAN interface to be forwarded by that NAT-rule then.