Thanks Amos and GarethC for your comments and suggestions!
In the end we ran with acl peers src <pfsense IP address> follow_x_forwarded_for allow pfsense follow_x_forwarded_for deny all And it's working a treat - IPs logging just as we want. Cheers guys, Peter.
