@m5ip25
Just wanted to say that this seems similar to the issue I'm experiencing after updating to 2.7.0. In my case it's a simple point to point tap bridged to physical interfaces on each end. Tap needed because the whole purpose of the tunnel is to pass multicast video traffic.
https://forum.netgate.com/topic/183115/openvpn-client-process-fails-after-upgrade-to-2-7-0

@brepo

I feel a little sorry for myself, because I spent more than 10 years with pfsense and everything suited me before :)

@johnpoz : Linksys EA7300 - You said it would work, but it doesn't!!! 😆 🤣

Not listed as supported on the DD-WRT web site. 😞

But it is supported on OpenWRT with vLan! Yay!

So, cool beans! I can (probably) take it from here.
Thanks for your, and everyone's, help!!!

@oktech Vielleicht musst du PPPoE auf dem VLAN machen?

(bump) Someone?

Auch der Reboot löst das Problem mit der fehlenden IPv6 auf LAN nicht immer. Da bleibt wirklich nur auf 2.5 zu hoffen. I am ready! 🤞

Bridging VLANs like that is generally not recommended.

How many internal interfaces do you need configured like that?

If it's just one you could try breaking the ix2-3 lagg and reconfiguring the switch to connect Eth8 to ix2 directly and bridge that. Removing the VLAN will probably prevent the loss there.
Make sure you have some access to the firewall other than via the switched ports if you try that as it's very easy to get locked out!

Do you need to filter traffic across the bridge? If not you would be better off using an external switch to set that up.

@stephenw10
Thank Steve for your reply.
Switch 2 was connected to igb2 and was not communicating.
DHCP works correctly for both vlan1 and vlan67 on Switch 1, which connects to igb1.

I had added rules to both LAN (bridge0) and WiredLAN2 (igb2) to log any rejected events but there were nothing when Switch 2 was plugged in/out igb2.

Worst still, I started to observe about 0.5% errors out in LAN interface even with igb2 open. Snort was not reporting anything on LAN under the bridge config. These 2 factors are enough for me to pull back from this bridged config.

Thanks again for your advice anyway.

@kiokoman thanks for the tip, I have configured a bridge with linux tools (brctl) and I'm using virt-io and I thought that would be enough but it is in fact very reasonable that it would actually introduce limitations and weird behaviors like what I'm seeing, I will dig further the issue

I take it these .2 are vips you have setup.

What is the source of this traffic? Is it rfc1918 in your network - or public being forwarded to pfsense rfc1918 wan IP? Why do you think you want to do this? What do think it will accomplish exactly?

But sure you could outbound nat into your lan from your lan vip.

Dick? Really? Calling you out on calling yourself a ccie when clearly everyone knows that is not even close to true is not being a dick... That is just calling someone out on their BS!

So what was the problem, only tcp for the rule? Wrong source?
Maybe you had policy route on the rule? But that wouldn't of stopped ping to pfsense IP? Only ping to other lan.. That is another common mistake.

@JeGr gerne. Dafür habe ich das Posting ja gemacht das man aktuelle Informationen findet.

I figured it out, I forgot some settings elsewhere

A bridge is nothing more than a switch... If you need more ports on a L2, use a switch..

How about some details of what your trying to do exactly. What is this device/thing/whatever your trying to connect to a network? And what are the details of the network you want to connect to.

Is wireless involved? I can tell you most of the time - bridging would not be the right solution ;) Unless you are talking about bridging a wireless to wired??

Nobody can help you make a decision or even explain why you would want to do XYZ vs ABC without some details!

Create a LAGG on pfsense and on the switch stack. Use the LAGG as the vlan parent.

@xandercdn I have this working in my lab.

"net.link.bridge.pfil_member=1" and "net.link.bridge.pfil_bridge=0" under system tunables. Outgoing NAT is disabled WAN has an IP address for management WAN and LAN are joined in BRIDGE0 I do not have the bridge assigned under "Interface Assignments" I configured 10 Mbit/s in and out limiters using this example. I did not create the first two floating rules for ICMP since NAT is not involved in this config. If you want the limiter to only apply to a certain IP(s) you can change the source and destinations accordingly.
0_1543886890032_firewall_rules.jpg

I've attached the configuration I'm using:
0_1543886724746_config-dev-244p1.localdomain-20181203172356.xml