Home Firewall configuration - Streaming, IoT's and VLANS!

[mightyi]

After some poor network performance, I decided to rebuild my network to try and optimise and secure it better.  I was also sick of having to turn off (R)STP because the Sky Q box would disable ports due to it's network mesh catastrophe!

I have (I think!) quite a robust setup - 6 Unifi Access Points, Unifi Enterprise 24 port multi-gig PoE+ switch, with a trunk port to a Unifi 8 port flex PoE switch.
The Opnsense Firewall is an i3-7100 with 8gb RAM and a 500GB SSD. I have an intel x550-T2 PCIe network card installed, with one port set at 2.5gbps and connected to a VM Superhub 5 @ 1150Mbps, and the other port connected at 10GBps via an SFP+ adapter into the Unifi main switch.

I have split the network into 6 different VLANs (Plus WAN); Internal, Management, Streaming, IoT, Security and Garage.  iPhones, iPads, Laptops, Desktops (Including two Plex/Emby Server) and Macs are all on the internal VLAN, Management VLAN holds the switches, Unifi APs and the server running Homebridge and the Unifi Controller. Streaming VLAN contains the "trusted" devices, SkyQ boxes, nvidia Shield, Amazon Fire TV, Network Audio Players, AV Amps and Sonos Speakers.  The IoT VLAN contains all the other "Smart" devices - Meross smart plugs/extensions/energy meters/radiator valves/smoke alarms, Twinkly(tm) Lights, smart washer/dryer, smart fridge smart kettle etc; plus Apple Homepods to make it easier to control them.  The Garage VLAN is for using diagnostic software and tools that i don't want attached to the internal networks in any way; and the security VLAN houses all my Ring internal and external cameras, alarm, doorbell etc.  This is also isolate from the main VLANs.

Trunk ports and uplink ports are all working great, RSTP is enabled with tweaked switch priorities to make the Sky Q behave, and the ring cameras aren't dropping off the network like they were due to lost packets.  All seems good....except some REALLY annoying glitches!

At the moment, I have set up individual rules for each device group (amazon Echo, Amazon Fire, Plex servers etc) and have been assigning rules between the VLANS as they've popped up blocked and ensured they are a locked down as possible.  I have configure IGMP Proxy, mDNS Repeater for mDNS traffic, and UDP Broadcast Relay to handle all other multicast (SSDP etc).  that brought A LOT of multicast traffic which clearly means things are talking!  Everything seems to works fine, i can even control my Twinkly lights through the app on the internal network which has never worked properly before.  I've had to all ephermeral ports between amazon and streaming devices as expected as well as Specific Smartthings ports and Apple specific APN ports etc to make things behave.

The problem I'm seeing a lot more blocked packets than i was before; Desktop (Plex/Emby) with a lot of SYN flags to port 8883, RST/ACK, FIN/ACK to 443/t; with amazon devices and Ring Alarm base unit seeing lots of PSH/ACK, FIN/ACK and FIN/PSH/ACK to 443/t - all to the internet. They all get stopped by the default "Block All" rule on each VLAN ruletable, completely ignoring the specific rules allowing the traffic before it.  I have even enabled the "options" checkbox under advanced to see if that helps as a lot of traffic is likely multicast around the network; but no dice.

I've also seen a lot of people saying "Oh ignore it, normal traffic" - but i never saw this sort of traffic before.  Can anyone offer any suggestions of pointers - or tell me i'm being stupid and ignore it!?

Thanks!