Can't get to/past pfSense on new VLAN without captive portal

guitarpicker

I've had a simple 1 LAN / 1 WAN port pfSense installation for a year or so.  I tried adding a VLAN and an interface for a management network, but am having problems with connectivity.  Here's the intended setup:

bge0: Built in Broadcom BCM5761 NIC for WAN, connected to ISP's cable modem.
em0: Intel 82540EM NIC for LAN, untagged, using captive portal to authenticate clients (192.168.12.2/23)
VLAN 100 on em0: New management VLAN, riding on same NIC (192.168.100.1/24).

I want devices on the untagged VLAN to continue to use the captive portal to get to the WAN, while devices on VLAN 100 should be able to get to the WAN without the captive portal.

Devices on the original untagged VLAN work the same as ever, but clients using the new VLAN can not connect to the Internet or even ping pfSense at 192.168.100.1.  pfSense DOES successfully issue addresses for the new VLAN, and clients CAN ping each other within the VLAN, except for the pfSense address.  I tried adding some permissive firewall rules without any change.  I did find that if I enabled a captive portal for the new VLAN, then it would work, but I don't want to use a captive portal on that segment.

How do I get VLAN 100 to route to the WAN without a captive portal?  This is acting like it's missing some routing info or getting firewalled.

I am running pfSense CE 2.3.2-RELEASE.  Please let me know if there is more information I can provide.

Thank you.