@cobra_phil
I just realized that some of the answers to my questions were available in some of the screenshots your posted a month ago in your original post. Here is my thinking from the 35,000 foot view........
Configure pfSense to receive an address from ISP on WAN via their DHCP server
Create a "management" interface on LAN with a private address range and its own DHCP server. This allows you to plug in a laptop or other host and talk to pfSense, manage firewall rules, DNS, pfBlocker etc. as well as any switches or wireless access points you might have
Create a bridge interface with WAN & OPT1 where all your clients will connect. This will be a DMZ of sorts where your clients get addresses directly from ISP and can pass credentials, etc. See Internal / External Bridges on this page:
https://docs.netgate.com/pfsense/en/latest/bridges/index.html
Create a series of firewall rules to intercept and redirect DNS traffic to pfSense.
Configure Unbound to listen for DNS requests on OPT1. Unbound can then either act as a resolver and serve up the appropriate web addresses or forward those requests to your DNS provider of choice.
pfBlocker can also be used on pfSense defined interfaces (WAN, LAN, OPT1....) to filter content, IP ranges, etc.
Hope this helps. I'm far (far, far) from an expert but let me know how you want to proceed.
Cheers.