Text only | Text with Images

OPNsense Forum

English Forums => General Discussion => Topic started by: tiksustis@gmail.com on November 17, 2025, 10:46:22 AM

Title: Tagged and untagged vlans question [SOLVED]
Post by: tiksustis@gmail.com on November 17, 2025, 10:46:22 AM
Hello everybody,
I have a question regarding tagged and untagged vlans on opnsense.
In the documentation it states that mixing tagged and untagged vlans on the trunk is not supported and leaking might occur, plus recommends creating a "sacrificial VLAN" for untagged traffic. (https://docs.opnsense.org/manual/how-tos/vlan_and_lagg.html#vlan-and-lagg-setup) .

We have the opnsense router as a vm in a vmware cluster that connects to our physical switches through trunks that utilize and use the native vlan (1) .
I was wondering if it is a valid configuration if I create my opnsense router with the following:

-1 interface connected in an access port (vlan1) where traffic from the native vlan flows

-1 interface connected as trunk (using vmware vlan 4095) so that opnsense sends tagged traffic only through multiple subinterfaces (one per vlan).

The first interface will be used for communication with the native vlan, and the second interface will not use vlan1 at all and will be used for communication with all the other vlans only through subinterfaces and tagged packets.
I can not figure out from the documentation if this is a valid configuration or if there will be leaking from the second interface in the native vlan for some reason. In a test environment everything seems to be ok.

Eth0 -> vlan1 untagged packets

Eth1.10 -> vlan 10 tagged packets
Eth1.20 -> vlan 20 tagged packets
Eth1.30 -> vlan 30 tagged packets
...

We can not abandon the untagged vlan (vlan1) , and cannot configure an unused vlan due to the machine being a vm and using the virtual switches of the esxi hosts which have to be common for all vms.
Thank you for your input and time.
Title: Re: Tagged and untagged vlans question
Post by: Monviech (Cedrik) on November 17, 2025, 11:08:43 AM
It should not be an issue if tagged and untagged is not mixed on the OPNsense on the same network interface.

If your trunk only has vlans configured on the OPNsense, then untagged frames are not evaluated on the port, as long as you don't actively use the parent interface of the VLANs.

By using a second interface for untagged, you are most likely good.
Title: Re: Tagged and untagged vlans question
Post by: tiksustis@gmail.com on November 17, 2025, 11:35:30 AM
I suspected as much but wanted a more expert view before moving it to production,
than you for your time
Text only | Text with Images