Messages

The Github report is here: github.com/NLnetLabs/unbound/issues/1379

There are attack techniques that use ICMP and he most certainly reduces attack surface by blocking it to/from WAN.  Exclusions can be added if desired.

Unbound will listen on port 53 by default unless you change it so it will capture incomming DNS requests on port 53.  You could forward your DNS queries to your own DNS resolver in the Unbound Query forwarding.  In the Query Forward, enter your DNS server IP and specify a port such as 5353 and set your DNS server to listen for requests on that port.  The Unbound DNSBL should still work if you have enabled selections. (Don't select and apply all at once or it will probably timeout and not apply anything).  Once you have it all configured you can verify by looking under Reporting > Unbound DNS and see if it still blocks and you should see traffic on the port/IP that you specified to your DNS server on the firewall > Log > Live View.

Some browsers will use DoH by default and they would show up under Intrusion Detection > Administration > Alerts > ET INFO Observed DNS Over HTTPS Domain.  Since these are on port 443 it would bypass your DNS server so you need to turn that off in the browser or by policy if you don't want that.

It sounds like you are missing firewall configuration for the vlan interfaces that you set up and I don't think you need the bridge.
If you want to allow traffic between both LAN and vLAN networks I'm not sure what you gain with the vlan unless you really need to split a single port into multiple subnets.  Here is the documentation on vlans: https://docs.opnsense.org/manual/how-tos/vlan_and_lagg.html

Just food for thought, vLANs can be very tricky if you are using IDS/IPS.  If you have enough ports on your hardware and aren't trying to segment traffic, create a separate LAN subnet interface for your TrueNAS, skip the vLAN, and setup firewall rules accordinly if you want to isolate the NAS LAN from WAN.  That is my two bits.

I haven't done what you are trying, but here is how I would approach that.

Create a WAN Gateway with the IP gateway of your Proxy and enable it.
Create a LAN subnet in Interface and enable it.
Configure the LAN DCHP unless you are setting static addresses.
Assign the Interface, ex: igb2 (depending on what port you are plugging into)
Select the proxy WAN in the Interface gateway settings (At the bottom of the config page) of the LAN subnet interface that you created.
Copy the default LAN to WAN (Default LAN to any rule) for the new LAN interface, deselect LAN and select your new LAN Proxy Interface and save.
Verify traffic flow on the firewall live view.

I have submitted a bug report to Unbound on Github.  If you are also experiencing this issue and have anything to add that I didn't include, please share a comment or comment directly to Unbound on Github.

I've tried reinstalling Unbound, but the issue persists.  My setup follows all OPNsense instructions for setting up DNS over TLS.  DNS traffic flows over the service and the DNSBL is working but the upstream DNS traffic is unencrypted.  No DNS servers are set anywhere else in OPNsense and I have a firewall rule blocking outbound DNS on port 53.  The firewall shows DNS traffic going out to the port specified in Unbound.

Hi ubear/Uri,

(edited) 
Sorry I didn't see your picture, I'll leave the text below just as a reference to others searching.
If you want a single client to ping outbound, put an allow rule above your block rule and apply on match.
Interface: (LAN that your host is on)
Source: Single Host or Alias
Enter your single host.
Save
Apply
Ensure the single host Allow rule is above your blanket ICMP Block rule in the floating firewall ruleset.

****
Example Rule:

You can block IMCP for the example you posted by clicking Firewall > Rules > Click Floating > Click + to add a rule

Specify Action: Blocked
Interfaces: Select desired (These are the interfaces that the rule will apply)
Direction: Select desired: in, out, any
TCP/IP: IPv4+IPv6
Protocol: ICMP
Log Packets Handled: Check if logging is desired
Enter a Description
Click Save at the bottom
Click Apply at the top

*****

In the above example if WAN is the interface, direction any, all ICMP to/from WAN will be blocked.  If you select direction OUT, all outbound ICMP are blocked from any of the interfaces that you select.

If you have any monitor IPs that are in the WAN zone for High Availability you'll need an exception for the router gateway IP or it will always show down and your gateway switching won't work.  Also, if outbound ICMP is blocked, without any client exceptions, you won't be able to ping any external address.

Best Regards

You likely have enabled promiscuous mode on a vLAN interface, which will crash the interface if IDS is enabled.  Disable promiscuous mode on all vLANs and then open the parent (Physical) interfaces that you wish to monitor that have vLANs, check Promiscuous mode > check Overwrite Global Settings > Check the three boxes for CRC, TSO, LRO offloading > Save > Restart Suricata.

You likely have enabled promiscuous mode on a vLAN interface, which will crash the interface if IDS is enabled.  Disable promiscuous on all vLANs > Save and Apply settings > and then open the parent (Physical) interfaces that you wish to monitor that have vLANs, check Promiscuous > check Overwrite Global Settings > Check the three boxes for CRC, TSO, LRO offloading > Save and Apply settings > Restart Suricata.