I am in the process of improving my home network, and making better use of pfsense and trying to move away from 'hard coded' rules.
This has been a large project with VLANS and all the joys (which I must admit I am actually enjoying).

I am running Unbound internally, which is connected to Cloudflare Security (1.1.1.2) for some basic security however, I want to also set some devices to use cloudflare for families (1.1.1.3) for basic parental filtering (I know its not a silver bullet).
To be able to easily bring devices in and out of this group, I created two aliases; 1. for Approved DNS providers, and 2. for Devices which are to be captured by parental filters.

I created a NAT rule that basically looks to see; 1. is the request NOT going to approved DNS provider, and is the request going to a DNS provider which is NOT in the approved DNS provider list and if so then it redirects to the firewall.
This seems to work (as a rule) with IP4, but when I try and configure it using IP6 I get an error saying "The destination port range overlaps with an existing entry".

I checked and there is only 1 set of IP4 and IP6 rules per interface, and I can't see what is causing the error, I have tried changing source port range to any as well but that does not make any difference either.

The idea is that I will set static IP addresses in the DHCP reservations, so those devices which should be captured by parental filtering can be done that way (or should I just create another NAT where if the source is in the Parental Filtering just redirect to 1.1.1.3)?

Hopefully that makes sense, thanks for any help anyone can provide!