@mj9768
If you allow any on OPT1 also access to your local network is allowed from this interface of course. But there is nothing allowed from WAN, even OPT1 is bridged with it.

All you need to allow might be access to public destinations, however. So just add a proper rule to the interface.
To achieve this, I create an RFC 1918 alias and use it as destination in a pass rule with "invert match" checked:

9120df6d-057b-4b55-bc3d-9055be0632d6-grafik.png

This here is a floating rule, but in your case you should put it on OPT1 and you might want to allow any protocols.

This presumes, that the tunables net.link.bridge.pfil_member is enabled and net.link.bridge.pfil_bridge is disabled.

Ok, if you're doing that I would put the bridge between WAN and OPT and use LAN for management. That removes the switch from the connection.

As soon as you have access to the full, decrypted data stream it's most probably possible to cache everything.

But :
The, for example, ccs style sheet file, can have a unique name - and won't be re used ever again, so it will get reloaded anyway.
The file creation date can be set to 'now' so the browser will request a fresh copy, even if the content didn't change at all.
etc etc .