Messages

In case this being helpful for others:
I encountered a similar issue where I get REFUSED answers from Unbound DNS server on OpnSense over a VPN network.
This happened only using nslookup on a Windows machine. Finally I found out the reason: nslookup automatically adds the DNS suffix to the domain, e.g. google.com becomes google.com.localdomain. One has to add an additional dot for the apex/DNS root (google.com.) to preven this. However, as I used nslookup with the OpnSense Unbound DNS server IP address as 2nd parameter, the dot at the end of the domain causes issues with nslookup parsing the arguments.

So I had the problem that the PC had the full expected internet speed when being connected directly to the network ethernet-fiber switch, but had only 1/4th or 1/2 upload/uplink bandwidth with the OpnSense appliance in-between. First I assumed that shaping in OpnSense may be enabled, or that there is a performance or other (e.g. MTU, network cable (unlikely)) issue with the OpnSense-switch connection.
But after some research it turned out that the OpnSense appliance wasn't the reason for this at all, rather it was the software of the PC itself on which the speedtests run.
Gigabyte mainboard owners often have a network performance tool installed (cFos / "Gigabyte Speed") on Windows, that ships with it. That tool should help with latency (debatable whether this is the case for fiber internet), but it can also shape traffic. And indeed, with the cFos traffic shaping feature disabled, the speeds became as expected (it could also be completely disabled or uninstalled).
Apparently cFos detects a different network scenario when its PC is connected to internet over the OpnSense appliance compared to being directly connected to the switch, hence it shapes traffic and reduces the upload/uplink bandwidth.