@jimp could you point me in the right direction how to setup so HAProxy on pfSense handels the certs ( not just getting them )

poderia relacionar quais foram os hosts que colocou:?

You can still do some filtering on HTTPS without the MITM. On E2 Guardian, I have multiple groups setup, some which have MITM enabled and some such as in your case that are for Guest Wi-Fi where I can't properly sneak in the CA. On Squid I believe this is referred to as Bump and Splice all. For my guest Wi-Fi setups, I just use the non-MITM method. This is where the proxy is able to see the domain name without the resource path at the end in order to decide if a website should be let through or not. MITM would obviously allow the proxy to look at the entire URL with the resource path and make a informed decision as to whether or not to allow a website through. I prefer it way more than DNS level filtering as it's more flexible. You can set it up for specific users while others can browse those sites just fine. If you've got sometime, I recommend you give E2 Guardian a shot. It worked out a lot better than Squid in my use case and it has the added benefit of actual phrase filtering.

If you just want to do DNS bases blacklisting you could take a look at pfBlockerNG.

How many hours of work... Seems like quite a few to me.. So unless you get lucky and someone writes it up for their own use and shares it. You have to provide enough incentive for someone to do all the work. $100 at best at best cover an hour worth of work - this is clearly more than 1 hour to implement, etc.