Someone posting the same issue over on the pfsense board. As you mentioned a static route was the fix. You might want to look into that again.
http://doc.pfsense.org/index.php/Why_can%27t_I_query_SNMP%2C_use_syslog%2C_NTP%2C_or_other_services_initiated_by_the_firewall_itself_over_IPsec_VPN%3Fhttp://doc.m0n0.ch/handbook/faq-snmpovervpn.html~~~~~~ snip ~~~~~~
Ok, I got it to work. I didn't read the article mentioned above carefully enough.
From the article:
... You can fake it out by adding a bogus static route :to the remote end of the tunnel...
In my scenario "the remote end" is really the firewall with the DHCP server behind it (i.e. the main site firewall.)
So I added a static route on the main site pfSense and machines in the remote site started picking up IPs right away. The static route says:
Interface: LAN | Network: <LAN IP of far pfSense>/32 | Gateway: LAN IP of this pfSense | Desc: Dummy statix route to fix DHCP Relay
What clued me in that I was creating the static route on the wrong firewall was these messages in the main site firewall:
Jan 5 22:49:50 last message repeated 2 times
Jan 5 22:49:50 dhcrelay: packet to bogus giaddr <LAN IP of far pfSense>.