Your rules force all traffic out the gateway. And the rules below that make no sense, because rules are evaluated top down, first rule to trigger wins, no other rules are evaluated. So your rule sending traffic out your gateway is any any.. When would there be traffic that does trigger that rules. When would there be traffic to ! private, that does not match the rule above it any any? If you want your clients to talk to pfsense IP.. Where do you allow that? You block talking to pfsense on 443, then your next rule says go out the vpn.. How does vpn have access to pfsense vlan30 interface for example?

And another update in my "blog". In Pihole you can set "Use Conditional forwarding" and list your domain and pfsense ip. That way I can resolve my own internal domain and at the same time use 1.0.0.3 and 1.1.1.3 for dns lookup without going to pfsense. No need to copy over the hosts file. I ended up not launch resolver and forwarder in parallel. My setup now is that I Port forward all dns request on all interfaces except the kids-vlan to my pihole-1, I then portforward request coming on my kids vlan to 53 to pihole-2. I allow outgoing requests from my pihole-1 and pihole-2. Regards. D

After looking closely at my rules, I found that my source was set for an address as opposed to the network. One quick change and all was good in the Universe!