I work at an ISP and have routed a /27 public network through an IPsec into my pfSense firewall at home. I've previously used FortiGate with policy-routing and virtual ips, but it doesn't seem to work the same way with pfSense.

On my P2 I've specified the /27 network as local subnet, and 0.0.0.0/0 as remote subnet.

In NAT 1:1:
Interface: IPsec
External IP: xxx.xxx.93.13
Internal IP: 172.16.0.65
Destination IP: *

I had to port forward ICMP with destination xxx.xxx.93.13 to 172.16.0.65 to make my pings (from AWS) show up in tcpdump.
With NAT-reflection enabled, I can access the server with its public IP locally.

Outbound NAT is set to manual, with a mapping that says:
Interface: IPsec
Source: 172.16.0.65
Source port: *
Destination: *
Destination port: *
NAT address: xxx.xxx.93.13
NAT port: *

Am I missing something? I've tried everything I could think of, and getting pretty frustrated.