[Partial Fix] TAP Setup with a bridged VLAN interface
As perfectly outlined and diagnosed here (although not realising its the VLAN that is the issue) https://forum.pfsense.org/index.php?topic=110933.msg617666#msg617666
and again reported here https://forum.pfsense.org/index.php?topic=77100.msg420123#msg420123
TAP mode OpenVPN connection to a bridged non vlan'ed interface works as expedited (gets a DHCP lease and all nodes in the subnet are accessible, if all traffic set to route via this connection it does again as expected, exits the network with public IP of the firewalls WAN IP)
TAP mode OpenVPN conection with a bridged VLAN'ed Interface gets a DHCP lease and can access all nodes within that interfaces subnet EXCEPT the GW/firewall (if all traffic set to route via this connection nothing exits)
A packet capture for a ping shows it leaving and returning but it never arrives (its like the retuning traffic is not being correctly tagged with the VLAN ID)
Is this possible with the current version, or is the a limitation?
Is this actually bug?
Can this be addressed by outbound NAT rules or something along those lines?
Partial work around or fix depend on your use case:
If you have another physical NIC, assign it as an interface and make it active then bridge this new interface to your OpenVPN interface, then physically connect it to a switch port in your network that has been correctly set with with the PVID of the VLAN your trying to connect to.
Remembering to add a FW rule for this interface to allow traffic.
You can test correct set-up by temporary setting your new interface to DHCP (it should be assigned an IP from your range in your VLAN)
Now when using your OpenVPN client you are bridged in and can access the subnet and GW, and in our case upstream IPSEC connections.
Where it falls short is the new interface is treated as a WAN, when enabling "Redirect Gateway" packet exiting are not being NAT'ed when they exit the GW I looked at outbound NAT but it appears to be not affecting it.