"Additionally am I right in thinking that in order to block comms between LAN/OPT/DMZ interfaces, I need to specifically add in a block rule to block lan net to dmz net etc?"
Well would depend.. Out of the box when you create an OPT interface pfsense puts NO rules on it, so everything would be blocked hitting that interface.. As to specific block rules and such.. Depends on what if any traffic you want to allow between your different segments and what direction this traffic will be imitated from
Rule are evaluated top down on the interface they enter pfsense on. First rule to trigger wins, no other rules are looked at. There is an explicit deny at the end if no rules trigger on an interface then that traffic would not be allowed. This is on every and all interface.
" Am I right in thinking that my local device names will be passed up to the DNS servers up stream so to speak i.e. the OpenDNS servers. "
No your not right in thinking that… Always just blows my mind how internet is useless without dns, and everyone uses it every single day on every single connected device they own. Yet seems nobody understands even the basic concepts of how it works ;) Just freaking blows my mind!!!
If you want your clients to resolve your local devices by name and not broadcast for them.. Then you need to use a nameserver (dns) that can resolve them for you - ie pfsense. Having a client ask opendns or googledns is not going to be able to resolve your local devices by name other than via broadcast. So if those other devices are on other network segment that is not going to work!!
Setting your clients to have 2 dns, ie pfsense and something public is not going to work because you can never be sure which dns your client is going to ask. And it sure doesn't ask them in order or both at the same time, etc. There are differences in depending on what OS your client is using.. But in the big picture your clients should only ever use nameservers that can resolve the same stuff. If what your wanting is to resolve public stuff - then sure you could use opendns, googledns, 4.2.2.2 since any public dns can and should be able to resolve all public domains.. But they are not going to be able to resolve your local stuff.
So if you want to resolve local stuff - then your clients have to ask your local dns.. You could get fancy and setup more than 1 that have the same local data. But in your typical soho type setup there will be 1.. Pfsense if your wanting to run pfsense..
So your clients ONLY ask pfsense!!! This is how pfblocker ad blocking works you have to be asking pfsense using unbound.. Now you can setup unbound to resolve, or forward. If you want to forward to opendns you can do that. But your clients need to only be asking your local dns first if they want to resolve local. Then you setup your local dns to either forward or resolve..
If you have no rules on OPT, but any any on lan for example.. And LAN creates the connection to something in OPT, the state that pfsense creates would allow the return traffic.
While I commend wanting to learn about IPS/IDS - unless you know what your doing its going to be very painful!!! I would suggest you turn it on in MONITOR mode only!!! This can report on stuff that it sees, but will not block anything. This allows you to trim down the noise before you actually go into IPS mode.. IPS is not something for hey that is what a mask is, oh that is tcp traffic, and that is udp.. but really don't know what the difference is ;)
pfblocker is a great package when used correctly and understanding what it does.. But to be honest it can be quite confusing to someone that is just learning about networking/firewalling/etc.. Letting it autorule shit is prob going to break stuff if you want my honest opinion, no offense bcan!! Wanting to run an adblocker that is dns based without understanding how dns works is just asking for trouble if you ask me!! Most likely going to break shit again!!!