I'm feeling like a complete idiot right now. I can't even get my Watchguard to grab a DHCP address from the network.
If I put my Macbook on VLAN2, it grabs an IP immediately and I can get out to the net.
If I put dummy IPs on the Macbook VLAN2 and the WG VLAN2, I can ping from the MacBook to the WG. Interestingly, I can't ping from the WG to the Macbook.
I've set my pfSense install back to defaults, I tried setting the MTU to 1496, I've put 'allow any <> any' rules on the WAN interface for both IPv4 and v6, and still no luck. So I'm dead in the water on testing.
One thing I did notice when I was messing with the firewall rules. There's an 802.1p button down near the bottom. Looks like you could create pass rules that add the 802.1p tags.
If I can figure out what's up with my DHCP problems I'll get back into this.