diff --git a/sys/net/if_bridge.c b/sys/net/if_bridge.c
--- a/sys/net/if_bridge.c
+++ b/sys/net/if_bridge.c
@@ -2404,6 +2404,12 @@
 		return (EINVAL);
 	}
 
+	/* Do VLAN filtering. */
+	if (!bridge_vfilter_out(bif, m)) {
+		m_freem(m);
+		return (0);
+	}
+
 	/* We may be sending a fragment so traverse the mbuf */
 	for (; m; m = m0) {
 		m0 = m->m_nextpkt;
@@ -2823,10 +2829,6 @@
 	if (sbif->bif_flags & dbif->bif_flags & IFBIF_PRIVATE)
 		goto drop;
 
-	/* Do VLAN filtering. */
-	if (!bridge_vfilter_out(dbif, m))
-		goto drop;
-
 	if ((dbif->bif_flags & IFBIF_STP) &&
 	    dbif->bif_stp.bp_state == BSTP_IFSTATE_DISCARDING)
 		goto drop;
@@ -3195,10 +3197,6 @@
 		if (sbif && (sbif->bif_flags & dbif->bif_flags & IFBIF_PRIVATE))
 			continue;
 
-		/* Do VLAN filtering. */
-		if (!bridge_vfilter_out(dbif, m))
-			continue;
-
 		if ((dbif->bif_flags & IFBIF_STP) &&
 		    dbif->bif_stp.bp_state == BSTP_IFSTATE_DISCARDING)
 			continue;
@@ -3364,6 +3362,14 @@
 
 	NET_EPOCH_ASSERT();
 
+	/*
+	 * If the interface is in span mode, then bif_sc will be NULL.
+	 * Since the purpose of span interfaces is to receive all frames,
+	 * pass everything.
+	 */
+	if (dbif->bif_sc == NULL)
+		return (true);
+
 	/* If VLAN filtering isn't enabled, pass everything. */
 	if ((dbif->bif_sc->sc_flags & IFBRF_VLANFILTER) == 0)
 		return (true);