Intermittent Connectivity Issues in L2 Bridge over WireGuard + VxLAN (OPNsense)

[glgontijo]

Hi everyone,

I'm reaching out because I've encountered a strange connectivity issue with my current VPN architecture. Here is the setup:

Server: OPNsense 25.7.11

Clients: 3x OPNsense nodes (v26.1.2), though the issue persisted even when they were on 25.7.

VPN: WireGuard for Site-to-Site connectivity.

Routing/HA: BGP + BFD for High Availability (2x WAN links on the server side).

L2 Extension: VxLAN over WireGuard + Bridge with local VLANs to maintain a single L2 broadcast domain across sites.

The Problem:
Some hosts on the Headquarters (HQ) LAN cannot see the clients, while others can. This behavior is reciprocal (affects both directions).

If I disable the packet filter (pf), everything responds normally.

When pf is active, only specific hosts can communicate.

Interestingly, broadcast traffic works perfectly across the entire network.

What I've tried so far:

Rules: I have "Allow All" (any-any) rules on the Bridge, VxLAN, and VLAN interfaces. I'm also using Floating Rules covering all member interfaces.

Tunables: I've toggled net.link.bridge.pfil_bridge and net.link.bridge.pfil_member in various combinations (0/1, 1/0, 0/0) with no success.

MSS Clamping: Enabled and disabled; no change.

BGP/Routing: I tried disabling the VPN on one of the WAN links to force traffic through a single path (ruling out BGP routing ARP to the wrong interface), but the behavior remained the same.

Constraints:
I must stick with an L2 architecture because I require L2 broadcast propagation for CCTV, VoIP, and WiFi Controllers. I considered switching to OpenVPN in TAP mode (which would also simplify the HA setup), but I prefer WireGuard for its superior performance with VoIP traffic.

Other hosts behind the client nodes are working fine and show no errors in broadcast or standard traffic. It seems to be a selective filtering issue despite the "allow all" rules.

Does anyone have insight into why the firewall might be dropping this traffic only for specific hosts within an L2 bridge?

Any help would be greatly appreciated!