Here are my relevant NAT entries:
With these rules, my wpad.dat is still hit (I just checked) but if anything tries to bypass wpad it is redirected to my proxy setup. My wpad does nothing currently, just redirects to the proxy the same as NAT. Some of the devices on my network aren't capable of auto-detect, so they are either pointed directly to the proxy or NAT handles it.
Here is an extract from my lighty-proxy-wpad.conf:
The server.bind line has my pfSense private IP between the double quotes. The mimetypes entry has all the other entries deleted to make the image smaller, but you can see that I added two lines for .dat and .da files. I also commented out all the 443 and SSL stuff. This file was originally a copy of the webgui's /var/etc/lighty-webConfigurator.conf. Then I have lighttpd running like this:
/usr/local/sbin/lighttpd -f /path/to/wpad/lighty-proxy-wpad.conf
This is my webserver for port 80 requests, that serves my wpad to client devices on my network. I use a service to start lighttpd up and monitor it, but you can use a entry in the config. Or another method.
I also have firewall rules to allow traffic on my interfaces to wpad, my proxy and other services: