Just to close the thread (as the problem is solved) by summarizing the “lesson learnt”
When planning to wirelessly bridge Access Points with no NAT boundary in order to extend the reach of the blue subnet (For example - To use a remote Access Point 5.8GHz radio in client mode to feed a second 2.4 GHz radio radiating as a standard blue network Access Point)
Ensure that IPFire’s blue access table does not contain IP addresses and MACs in the same entry.
Either / or per line is acceptable, but not both.
Having both ties the IP to the MAC so that when you roam to the bridged AP and forwarded
packets will have a different source MAC, IPFire will drop them - because you told it to!
Thanks once again to Terry for his insight.
Regards
BB