I have a whole bunch of rules, tried configuring everything before I plugged in - maybe that was my mistake. Should I post the XML for them?
The only rules that are blocking things are "RFC 1918 networks" and a list of "banned" ip addresses that gave us trouble in the past. Everything else is set to allow / forward to various internal addresses.
I'm planning to give it another shot, probably on Monday with a minimally configured PFSense and see if I can't at least get online and ping the gateway.