I was thinking about it. The gateway is within the CIDR block but hosted on the ISP's side. I think this is the problem. Once I tell pfsense that we have a /28, it won't route out to an ip within that block.
If so, I should tell pfsense that we have a single ip address /32 with the gateway being another /32 nearby. Then I can add the additional individual addresses that should be on our side as virtual ip addresses.
Does this make sense?
Another possible cause could be that I had all the ip addresses set up as virtual addresses, when they were also configured as the static CIDR addresses...
Either way I'm thinking to try it with a clean install / minimal config and get online first, then add all my rules.
thanks for your help!