What do you have set under DNS Resolver, Services → DNS Resolver → General Settings? For Network Interfaces do you have it set to all or specific interfaces? If specific interfaces, make sure you select IOT_VLAN and TENANT_VLAN.
You have a block rule that blocks IOT_VLAN to This Firewall. You are effectively blocking everything on IOT_VLAN to any address including the WAN. Change that to LAN net. Also, your allow DNS rule should work but I’m not sure. My DNS is configured a little differently than yours. As I set it to the Interface of the network, i.e. IOT_VLAN address.
My DNS entry - which I think I got from one of Lawrence’s videos is to force users to only use the PF DNS, even if they put a manual entry in their LAN settings on their device or PC
That would be correct, I have that as well. You have a rule to only allow DNS from the pfSense FW and then a block rule to block DNS anywhere else. I also just noticed for your protocols you have UDP for the allow rule and TCP for the block. Set both rules to TCP/UDP since DNS always uses TCP and UDP.
You also have the allow DNS set to LAN Net it needs to be LAN Address and your Source should be LAN Net. Which again I believe will work but since I have a different configuration. Someone will have to correct me on that. But regardless it needs to be LAN Address or IOT_VLAN Address for your Destination and LAN Net or IOT_VLAN Net for your Source for your Allow DNS.
I have gone through Tom’s video on pfBlocker but I have not played around with it. So I can not answer that question truthfully. But that said, the changes should allow you to get to the Internet. And so I think it would also ensure pfBlockerNG should work. But again, I don’t have enough experience to answer that question.