The WAN side has nothing to do with the LAN side. In fact, you don't even need a public address on the WAN side, as routing is usually done using the link local address. In fact, routing doesn't even require any address. The route can be specified by a point to point interface. However, your WAN IP address could easily be one out of a /64 prefix that's separate from your LAN prefix. Having the WAN address within the LAN prefix wouldn't work. I'll describe what I have here, though I'm no longer using a tunnel. My WAN port has an IPv6 address and I also have a /56 prefix, which is then split into individual /64s. The WAN prefix is significantly different from either my /56 or any of my /64 prefixes, so there's no conflict between the WAN and LAN sides. Any address that's not within my /56 is elsewhere. I don't care whether they're on my ISP or not, they're just elsewhere and pfSense sends packets for them out the WAN interface to my ISP. Beyond that, I don't know or care what happens. It should be the same with you on Start. I suggested using traceroute, as it will show whether the packets actually leave your pfSense firewall or not. If they do, the problem is elsewhere. If they don't, it's with pfSense.