@bmeeks Thanks for your feedback, I'll try your suggestions! And I can narrow those down to just a couple:
DHCP is set to almost default - it hands out it's own ip address as the default gateway. I didn't want to use the ISP's DNS servers, preferring to specify my own (used to be OpenDNS now Cisco Umbrella, 208.67.222.222 and 208.67.220.220). I've since changed to Google's and CloudFlare's as they support DNS over TSL - I HAD that running fine for ALL hosts on the network - except when the Roku TV came along. It's again important to note out of the box, the TV (wired to the WiFi router, NOT WiFi), promptly connected to the internet, downloaded and applied an "update" all on its own, restarted, only then could not access the internet ever since as long as pfSense is the firewall. NO other changes! All other hosts still have internet just fine also with no changes.
Since that time, pfSense DNS Resolver and Forwarder are disabled. I've tried letting the TV grab an ip address via DHCP from the lease pool - it does, shows the proper default gateway (no ability to show much else), cannot access the internet. Phone hotspot via WiFi: internet works. Swapping pfSense to an old Cisco Pix - internet works - with the same WiFi router connection (wired to one of its LAN ports).
I've since plugged the TV directly into the LAN port of pfSense, eliminating all other devices. It obtained a pfSense DHCP address and proper gateway . . . no internet. That entirely eliminates the WiFi router as the culprit.
I hear you about tinkering with DNS settings - although I'm rather new to pfSense, I do know DNS rather well (running many DNS servers myself in my day job, mostly Windows) plus configuring many corporate outside DNS configurations for outside-facing DNS for their domains).
Something has to be set correctly - again every other device has internet access no problem - ONLY the TV does not, only when connected through pfSense.
I just tried using my phone hotspot, connected the TV via WiFi - internet works. We also know it can connect using the old PIX firewall (also a DHCP server and NAT device).
I'm running pfSense 2.4.5-RELEASE-p1
Taking your suggestion, DNS is at "default" - IIRC. General tab is blank for all DNS items, all boxes unchecked. Services/DNS Resolver is enabled, all top checkboxes unchecked. Interfaces set to ALL ALL. Only "Register DHCP leases in DNS resolver" is enabled, and "DHCP static mappings in DNS resolver" is checked. The TV does not have a DHCP reservation, it (IS) obtaining a LAN ip address from the DHCP lease pool. Currently ethernet connected.
As always, other hosts access the internet just fine. My own laptop I'm posting this message with. I renewed my pfSense DHCP address, and changed from specified DNS addresses to only the pfSense ip address (DHCP server, default gateway, and the only DNS server are all the LAN address of pfSense (192.168.30.1).
System Logs/Firewall/Dynamic: Filter, enter my LAN address and I see lots of activity of course. Enter the TV's leased address and NOTHING appears in the firewall logs. ????? On the TV screen it verifies the same ip address and default gateway (and MAC address).
I just don't understand why this TV is unlike every other device on the LAN, wired or wireless, that it just won't seemingly attempt internet access but will show up as reaching the firewall.
The same TV, connected either through the exact same connection can promptly access the internet with a different firewall (still wired the same), or wireless through a phone hotspot. The problem points squarely at pfSense then.