Messages

Use ULA to distribute the DNS:
Create a virtual IP for the sense using a ULA (eg fd00:10:10:01::1) and distribute this ULA as DNS via RA.

To use ULA (ask google ;) ) you need to create a virtual IP (ULA) for the sense. This virtual IP is static and can be used to address the sense, instead of using loopback (::1) or GUA with changing prefix.Thats all for this usecase...

It's alphabetical so you can easily change the order by renaming or numbering ;)

Maybe you should see this actual thread at post 10 and further:
https://forum.opnsense.org/index.php?topic=30643.0

Wireguard is not supported by NordVPN. NordVPN uses it's own protocoll "NordLynx" based on WG, which, afaik, can only be used with NordVPN apps.

How to route only specific devices over thr VPN gateway was asked a few hours ago: https://forum.opnsense.org/index.php?topic=30657.msg147872#new

Btw:
Die Durchgängigkeit des Schirms ist auch wichtig, wird von dem Kabeltester aber scheinbar nicht geprüft... Das ist dann aber eine Sache der Signalqualität und ggf Geschwindigkeit, funktionieren tut es auch ohne Schirm.

Dss Thema ist zwar etwas falsch in diesem Forum, aber immerhin passt es zum Thema Netzwerk ;)

Naja Du musst dafür sorgen, dass die Ader 3 verbunden wird, irgendwo (Dose oder Patchfeld) wird die Ader nicht angeschlossen sein, mit viel Pech ist doe Ader auch irgendwo zwischendrin in der Leitung gebrochen.

Das Wohnzimmer funktioniert trotz "Fehler", weil für 100Mbits nur die Adern 1,2,3 und 6 benötigt werden. Wenn im Schlafzimmer Ader 3 verbunden ist, geht hier auch Gigabit und mehr.

Lol, sorry I forgot about it...
Here they are (step 2 to 4)
https://postimg.cc/gallery/N0jbTgs

So you want one or more devices to use the NordVPN gateway?
I explained this a couple of days ago in the german QNAP forum with screenshots, hope this helps:
https://forum.qnapclub.de/thread/61003-qvpn-soll-sat-empf%C3%A4nger-vort%C3%A4uschen-er-w%C3%A4re-in-deutschland-nur-dns-l%C3%A4uft-nicht/?postID=448566#post448566

For some reason ::1 don't work for me too.
Instead I'm using the Sense's ULA, created as virtual IP.

It would be nice if you wrote about what you are referring to.
I assume https://docs.opnsense.org/manual/how-tos/multiwan.html

The rule is placed above (before) the default allow rule on each interface that uses the gateway group.
To be honest: I never understood this rule, but never cared about as I have such a rule anyway for redirecting DNS.

What are you intended to do?
For Failover only, you need to use different tiers, where the main gateway ist the lower one.

You can use "This Firewall" in your rules, which will contain all v4 and/or v6 addresses of the sense itself, v6 prefix changes are taken into account.

Depends on how much you need to block... for a few networks I would allow any for LAN and create a block rule for each network that should not be reachable.

WAN_net means for your sense the network between Fritzbox and the sense.
With this rule, you only have access from LAN to this small network (WAN sense and LAN/DMZ Fritzbox).
For the issue with resetting states see this Thread: https://forum.opnsense.org/index.php?topic=30392.msg146651#msg146651

Ich vermute mal "der andere Laptop" hat irgendwelche Zimperchen und liefert daher so abweichende Ergebinsse.
Wie hast Du iperf3 ausgeführt? Klingt für mich danach, als hättest Du damit nur den Upload gemessen.

Upload:
iperf3 -c HOST

Download:
iperf3 -c HOST -R