Many thanks for this @brwainer !!
So, the networks in the UDM Pro are re-created as VLAN Only (except the Management VLAN on which the Unifi devices are, which I heard somewhere is probably better managed by the UDM Pro?) and the other VLANs are created on and managed by the pfSense (also create a Management VLAN on the pfSense to match the Management VLAN on UDM Pro?)?
I’m not sure I follow your second point though. Presumably, If I recreate the networks in pfSense and set the VLANs there, with corresponding VLAN Only networks in UDM Pro, the gateway IP’s will be within pfSense based on the new networks / VLANs? Does that then deliver the same result as your point 2?
I’ve noticed also in the current situation, the “uplink” from my aggregation switch to the internet is through the UDM Pro of course. In order to facilitate my new situation (where I want all internet traffic to route through the pfSense and not through the UDM Pro), I will need to somehow change the uplink to be direct to pfSense? Not sure how to achieve that.
Thank you again for all and any assistance and expert advice!
Looking at the second diagram I would say that the UDM Pro is the wrong appliance, surely either Cloud Manage or use a Cloud Key Gen 2. If you need Unifi Protect then your better off with a dedicated Protect system anyway as the camera throughput alongside all the other functions could slow down the UDM Pro resources.
Based on my understanding ideally you shouldn’t be routing via the UDM Pro if you are looking at having direct 10GbE connections either via an aggregation switch a 10GbE interface on pfSense.
The use case discussed by @brwainer and myself was more based on a SoHo implementation.
The UDM Pro doesn’t provide proper L3 switching as @LTS_Tom says in his video.
In essence the solution I used was to set the WAN interface to be in the default Unifi Management LAN to be 192.168.10. 5 and then LAN interface on pfSense to be 192.168.10.1 which was also the default router for the management LAN.
Hi @ilcifford72
Believe it or not, this actually IS for a SoHo (my own at home) 
I do in fact have the UNVR Pro at home (wasn’t shown on either diagram), with the cameras on their own dedicated VLAN (together with the NVR of course), so the UDM Pro is not supporting that function
The UDM Pro was already the controller of the network before I purchase dthe pfSense, so if at all possible I want to of course use it to manage the Unifi devices on the network. So to just use it for VLAN Only network support and to manage the existing Unifi network applicances is of course overkill for what it’s intended for normally, but it’s paid for so, why not? And it also means I don’t have to purchase hosting space for a cloud based controller or a new Cloud Key Gen 2.
“VLAN Only” means that the network will be provisioned on the switches and APs, but not on the gateway device. For the UDMP, this means the VLAN will work on the built-in LAN switch, but it won’t have an IP there. You need to have at least one network on the LAN side of the UDMP for it to be able to manage anything.
My “Point 2” earlier, was assuming that you did not change any of these networks to “VLAN Only”. You could, and I would probably would, have just left all those networks as-is on the UDMP, as long as you change the IP address it is using in that VLAN (controlled by the Gateway IP setting) to something that is different from what PFSense will respond to on that network. So on the one network you leave with an IP on the UDMP for managing the rest of the Unifi network equipment, you need to make sure its IP is different from PFSense’s.
Changing the “Uplink” from the aggregation switch is done by changing which device is responding (via ARP) to the IP address that all the devices are using for their default gateway. Meaning that once PFSense is in place and responding to ARP requests for x.x.x.1, and the UDMP is not responding on that IP as well, the traffic will go towards the PFSense on the aggregation switch. The “Uplink” shown in the Unifi controller is based on the ARP table and FDB (Forwarding Database) - it will show you which port has the MAC address that responding to ARP requests for the default gateway IP. In other words, the controller is just showing you what is happening, the “Uplink” isn’t a setting you choose.