@aiden21c Good! I still think that some good came out of this whole situation, though.

For one, even if your current setup works well, the ideal setup for your whole company network is still with VLANs The order of the firewall rules needs to be held in mind (PfSense processes firewall packet rules from top to bottom):
1c9cfaf5-771e-4d8c-959e-e798596807bd-image.png
Rule 3 catches all traffic filtered by rules 4, 5, 6. It needs to be last. Rules 5 and 6 have destination address "Any" instead of "LAN Address". A way that helps (me personally) to keep fw rules tidy is to add 4 separators, the top one named "GENERAL BLOCK" (for entire protocols, for example, no need to allow GRE, ESP, AH, OSFP... on a LAN with interconnected servers if there is no explicit need), a second separator named "INCOMING", a third separator named "LOCAL TO FW" and a fourth one named "OUTGOING". I also add separators named "PASS" and "BLOCK", with that order, under each main separator. Even if no further network changes seem necessary, it is best to avoid NAT. In the future, in order to reduce latencies or enable certain UDP services that cannot be NATed, you can check if the Cisco Router can do PPPoE passthrough for PfSense. Because PPPoE is a separate interface in PfSense, you can have both a PfSense-to-Cisco connection (OFFICE - 192.168.20.40/24, not as a Gateway) and a PPPoE adapter as a direct PfSense Gateway (because PPPoE is a Layer 2 protocol, doesn't use IPs, that is why its Point-To-Point, so it doesn't interfere with the 192.168.20.0/24 subnet at all) with a public IPv4 for PfSense. At some point, instead of having separate rules for each gateway and traffic type, you might want to implement Multi-WAN Load Balancing and Traffic Shaping to control which traffic type uses what Gateway. It is best to set static IPs for LAN through the DHCP server (without a dynamic address pool) and set your private IPs as Static Mappings. That way, you can use Host Overrides on Unbound, which would allow you to use hostnames (and no IPs) in your setups, and avoid unnecessary config nightmares in case, say, you want to put everything in Docker. You can just change the IPs in the Static Mappings of PfSense Unbound, add a BIND container to Docker (just to handle the inter-container IPs using the same hostnames) and be done with it.

@gertjan Pfsense uses 127.0.0.1 as it's nameserver (it was displayed then using the pfSense dns lookup tool). I checked all settings on my win10 client and even captured the packets with wireshark: The packets were definitly sent to pfsense and were processed there (i saw the specific lookup request I made in the unbound logs). Good idea to check the resolution with the cli, thx.

However in the meantime, it seems like it's working:
I have noticed that I didn't upgrade my pfSense for more than 3 months. Therefore I checked for updates and saw that the version 2.6.0 was available. I installed it and as of know, the problems are gone.
Don't know if this was a bug in the previous version or what, but it was definitly strange...

@johnpoz @Gertjan @SteveITS Thanks for all the help :)

Apparently, another corporate router CISCO ASA connected to DMZ was the troublemaker. After physical disconnect and reboot of that device, everything started to work fine again :-)

After a bunch of googling:

unbound is not ever authoritative dnsmasq CAN be authoritative. I'm working on it...