VIMAGE network stacks have issues with a bridge on top of a vlan interface. This limits the utility of having many jails on a freebsd host where the jails are bound to multiple vlans, resulting in having to bridge the entire trunk port to work around it, which can be a security risk. A patch was already introduced to truenas by delphij a few years ago, and it was confirmed to work on 10.3-RELEASE: https://github.com/trueos/trueos/commit/02859369158af2ae3bcb6a9e4434841239f7c526.diff
Submitted a review with the associated commit from TrueOS to speed things along: https://reviews.freebsd.org/D6015
Per kp@, current patch by delphij is not a proper fix for the issue (see review). I am going to dig deeper to try to find the root cause for two issues I am running into, which according to kp@ are unrelated but would be good to hunt down: 1) why the bridge is not accepting and retaining the mac address of the first interface attached to it. 2) why the bridge is unable to disable capabilities on the parent interface (likely IFCAP_LRO, but could be others as well). Regardless, kernel shouldn't be exposing all of SIOCSIFCAP to the parent interface.
(In reply to Shawn Debnath from comment #2) To clarify, my main objection to the patch at the moment is that we don't understand what it fixes and why. It's possible that it is actually the correct way to fix things (although I have some concerns w.r.t. vnet, but that's a different discussion).