Identifying APIPA hosts from firewall logs

[EricPerl]

I've been experimenting with OPNsense for a few days.
It's refreshing to get a firewall that provides logging... Compared to TP-link ACLs.

I use OPNsense as a transparent filtering bridge between my router and main switch.

Anyway, I've got couple questions related to entries in the logs for hosts with APIPA addresses.

The first set corresponds to an internal address of my router. The packets seem to be replies to DNS requests (source port is 53 and destination is a random port on a PC). I found one entry corresponding to a request from PC:random to router:53. I assume that connection can be reused for multiple DNS queries.
Question #1: It's normal that I don't see replies from router:53 to PC:random, right?
And that's because everything exchanged over that allowed and established connection is not only allowed but not subject to logging.
But I might see traffic router:53 to PC:random if it happened after the connection closed or was idle too long (from the firewall's perspective)?
I see APIPA:53 to PC:random within a minute of PC:random to router:53.
And that traffic would get blocked and logged anyway because it doesn't match any allow rule.

Question #2: I have discovery queries from another API address.
I suspect a device that failed to get IP via DHCP.
Is there a way to extract a MAC address from what's logged?
Maybe I can identify the source from info in my DHCP server...
I'd rather not resort to captures to find it. And if it's wireless, I'm toast.