Pfsense bridge of vlan interfaces

Hardware Setup

• AMD E1-2100 Mini-ITX Motherboard with Onboard Gigabit (re0)
• Intel PCI Express (x4) 4-port Gigabit Adapter (igb[0123])

Software Setup

• pfSense v2.3

I'm trying to replicate my OpenWRT router, which is setup as a simple router + VLAN 2 => different isolated subnet for various WiFi things I don't trust. My WiFi bridges run two different SSID's, one of which tags traffic VLAN 2. I successfully added igb[0123] as separate interfaces and combined them into BRIDGE0. I assigned an IP 10.0.1.1 to the BRIDGE0 interface, enabled DHCP, and can successfully use my box as a simple router.

However, when I combine four new virtual interfaces of VLAN 2 (w/ parent interfaces igb[0123] into a single BRIDGE1 (IP 10.0.2.1), my VLAN 2 interface on my hardwired MacOS X box gets IP 10.0.2.20 via DHCP but fails to route anything. In other words, I cannot ping across the WAN or even 10.0.2.1. I created a new Firewall rule on BRIDGE1 to pass all IPV4 traffic. Per the pfSense docs, I also set some system tunables.

When I set IP 10.0.2.1 to the VLAN2 interface of the hardwired port that I happened to be plugged into, enable DHCP for that specific interface, and generally follow all the same steps for the specific VLAN'd port, I can ping across the WAN and 10.0.2.1.

I think the issue is isolated to BRIDGE1 being composed VLAN2 virtual interfaces for each physical port.

• Is what I'm doing possible?
• If it's possible, what am I doing wrong?
• Is there a better way to do this? My goal is to isolate weird, potentially malicious IoT devices, but I'm open to other ideas on network topology/setup.