Hate replying to myself but apparently I need to setup routes on the servers … since this is a transparent bridge, traffic needs to hit the firewall for it to be encrypted, and not hit the default gateway which is on the other side of the firewall.
Yes, if it's not directed to an IP on the firewall, it won't route it. Without that, you're directing the traffic to the default gateway, which the firewall isn't going to route, it'll pass to the default gateway as it should (that's what the host is telling it to do by using that dest MAC).