1. That is correct, that's exactly my network look like, but here is weird thing, I've revert back the setup, I didn't see dockers IP in VZ router's DHCP lease as well, but I was able to use same NGINX proxy manager to reverse proxy some of my self-hosted services. Take look at your possible solutions basically command line:
$ docker network create -d macvlan \
--subnet=192.168.1.0/24 \
--gateway=192.168.1.1 \
-o parent=eth0 pub_net
very simlliar to create a custom proxynet right? Btw, yes I've follow SpaceInvaderone's youtube video from beginning of using unRAID, That's why I decided virtualized pfSense in the first place.
2. I have to break IMMOU Group using ACS override in order to break all of them in to separate groups. Follow SpaceInvaderone's video as well.
3. That's right, but for some reason I'm able to get it thru locally, but not external, I just cant identify if its docker(nextcloud, bitwarden) it self blocked by pfSense firewall can't get thru, or if its NGINX wasn't setup correctly to properly forward to right address, I'm able to issue a SSL certificate and already forward the right port for NGINX proxy manager. If I didn't forward the right port, I will not able to request a SSL from Let's Encrypt anyway, it will return back Internal error occur some like that.
Additional questions, Am I able to use LAN connect to WAN to work with pfSense? Instead of the really WAN cable from ONT? I would like to keep current network setup, and work with pfSense until I fully solve this issue.
Thank you very much for the help btw!