Dang it. I can’t believe it’s not easier than this. Here’s the dead simple diagram of the idea:
As a baby step test, if I add a virtual IP in pfSense on a different subnet, Windows happily pings that address, so why would I need a separate VM (or a separate physical interface) just to connect to a thing on another subnet? I think @cairnsmaterio is on the right track with the VLAN config. I went as far as defining the VLAN before, but did not configure the Unifi switch ports. My devices are actually one more dumb switch away from each other on both ends. So technically it looks like this:
This might be another can of worms because not every device on the respective legs would live in the same VLAN… unless it means I need managed switches in place of the dumb ones. Isn’t this analogous to accessing an IP camera or doorbell on another subnet from my Windows PC?
I can’t bear this being over my head, but then again I have not been technical professionally for many years and was never a “networking professional”. Very much an ex-coder, weekend warrior, and endless tinkerer. Love home automation, gaming, and media, so this just ends up being an extension of that, but keep hitting performance limitations that I hate. Any other suggestions on the setup before I fire up the VLAN option again? This is my first VLAN, and I thought iSCSI would be the easy one before I tackled walling off my IoT devices, so I really appreciate the help!! 
Without the mess of diagram #2 (because I can wire around the dumb switches), how does a mere mortal solve for the problem in diagram #1?
Backup plan: if I’m going to run any wires, it’s going to be a 10Gbe upgrade directly between my PC and FreeNAS.
Aside: Locked it up again… only happens under load. It will run for weeks and weeks if I don’t push it, and it’s the deadly combo of SMB and iSCSI running full tilt that does it.