Two dns servers & port forward all DNS traffic not (always) working

[burritoNL]

Goal
Route / force / port forward all the dns requests in my GUEST VLAN to my secondary DNS server (DNSMasq).

Problem
Using dnsleaktest.com with a device on the GUEST VLAN I still see requests being resolved by the external forwarder of unbound (Cloudflare). But this is not always the case. Sometimes I see all the dns tests (extended test) showing my Proton DNS, but sometimes it shows Cloudflare (on the bottom) as well. It looks like the port forward rule (see below) isn't 'always' working? The only 'testing' scenario that did work was completely disabling the unbound server (all dnsleaktest.com running after this change were resolving to proton vpn), but this is of course not a solution.

Setup
I have a network setup with multiple VLANs and four Wireguard VPN instances connecting to Proton VPN. Those four instances are configured as a Gateway group to do load balancing. All traffic on my GUEST VLAN going to the internet should travel over the gateway group. Everything is working as expected besides the described DNS issue.

Two DNS servers are configured. Unbound is my primary (default) DNS server and runs on the default port (53). The requests that unbound can't resolve will be forwarded to Cloudflare. DNSMasq is my secondary DNS server and is used to forward unknown lookups to the DNS Server of Proton (10.2.0.1).

What I've tried so far
- Do not listen unbound on the GUEST interface anymore. I was expecting this should work as a workaround, but it does not. For some reason guest dns request still reach the unbound dns server?
- Tried with NAT reflection, enabled and disabled.

References
- https://homenetworkguy.com/how-to/redirect-all-dns-requests-to-local-dns-resolver/
- https://forum.opnsense.org/index.php?topic=9245.0

LINK TO MORE SCREENSHOTS OF SETUP: https://imgur.com/a/3ZbnQbh