The bridges are used to make the vlan's available in two physical different networks.

For info I have two more or less separated networks for two reasons:

• for redundancy, if one network fails, I can still use the other one
• one is a 10G network the other one a 2.5G / 1G network

For that reason, for instance the management vlan is connected to both networks where each network is connected with pfSense via a trunk.

The intention is of course that the whole thing behaves as one logical vlan.

However pfSense its bridge implementation is to say at least(!) weird.

Where you would expect that the 'members' to assign to a certain bridge are earlier defined vlan's, in the actual situations it are 'pfSense interfaces'.

This has three very strange complications:

• you have to define a 'dumy vlan related interface' for each network to tie up to a bridge
• than you have to define a 'second layer interface' based on the created bridge
• you need to allow the 'network related dummy interfaces to communicate with each other

Starting with the last point, I did run into that one yesterday, * without that allow rule:

• you can reach both networks from some another vlan (if allowed)
• and each 'bridge dummy vlan' can reach the internet (if allowed)
• however 'dummy vlan1' can not reach 'dummy vlan2'

Here some pictures to make the situation 'visible'

Of course this is not an elegant solution IMHO. The Bridge should tie vlan's together not 'pfsense-interfaces'