IPSec tunnel causes pfsense to ignore traffic from one interface
-
I'm trying to use a remote machine (let's call it "swan") as a pseudo internet gateway, i.e. my internet-bound traffic would normally flow local machine->pfsense->ISP gateway-> internet; with the tunnel it flows local machine->pfsense->ISP gateway->swan->internet. I've created an IPSec tunnel between the two: pfsense advertises 192.168.0.0/16 and swan advertises 0.0.0.0/0. This works well enough–swan can talk to machines in 192.168.0.0/16, and those machines can talk to internet hosts, which see all traffic as originating from swan.
pfsense has two LAN interfaces, 192.168.1.1 for wired and 192.168.2.1 for wireless. Both have the same sets of default rules/NAT, though the wired has an additional anti-lockout rule. Everything works fine if the tunnel is down, but if it's up, pfsense ignores traffic originating from 192.168.2.0/24 destined for its addresses, unless it initiated the connection.
For example, if I set up simple TCP servers using netcat on both pfsense and host in 192.168.2.0/24 ("bob"), I should be able to establish a connection from pfsense to bob and vice-versa, and I can if the tunnel is down--both are able to contact each other and complete the TCP handshake. However, if the tunnel is up, pfsense can successfully connect to/handshake with bob, but if bob tries to initiate a connection, nothing happens. I see bob's SYNs come in if I tcpdump the pfsense wlan interface, but they're never answered. Clearly there's nothing wrong with the link, otherwise I'd never see the packets come in and it wouldn't be possible to establish a connection from pfsense to bob.
Hosts on the wired interface are able to talk to pfsense just fine. What am I missing/why are hosts on wlan ignored if the IPSec tunnel is up?