Transparent and virtual wire are two different solutions to the same problem. BIG-IP is indeed a full proxy, so to perform layer 2 "bump-in-the-wire" processing, either of the two techniques is essentially used to copy the layer 2 headers from one side of the proxy to the other. Inside the proxy, above layer 2, you can still do TLS termination. The only things you really should not do in a layer 2 configuration is IP and port translation. So basically, you create a wildcard virtual server (0.0.0.0/0) with address and port translation disables, no pool, no SNAT, and apply a virtual wire VLAN group to that virtual server. You can, however, apply a source, destination, and/or port value to the virtual server, as these will act as filters for the traffic (vs. a termination point). So a virtual wire VIP with a source of 192.168.0.0/16, for example, would only accept traffic coming from that IP range.