Ephemeral Ports are your bane
TFTP is said to "only use UDP 69" but this is completely and totally inaccurate.
TFTP starts communications on UDP 69, then moves the conversation to ephemeral ports between the two systems-and depending on the systems involved, they can change during the boot process.
Note, this doesn't seem to work across VLANs....
So, where do you start?
Step 1) You need UDP 67, 69, 4011, 1024:5000 from your PXE booting machine to the PXE Server. This is because the PXE bootloader appears to use that range specifically.
Step 2) You need UDP 1024:5000, 32768-61000 from your PXE Server to your PXE booting machine. This is so that once the PXE bootloader starts the conversation, the PXE server can send the data back (via those pesky ephemeral ports). The larger range is for the PXELINUX loader-since it uses a Linux kernel. Step 3) Enable TFTP Proxy Helper on PFSense: under System -> Advanced -> Firewall & NAT -> TFTP Proxy you are going to select the respective interfaces on which the TFTP Proxy Helper shall be active.