Virtual OPNsense: VLANs on VM definition or inside OPNsense?

[afan]

Hi all,

I'm running OPNsense on VMware ESXi 6.7 and have about 10 VLANs.

What is the most recommended way of working?
A/ Define the VLANs on the VMware VM definition (so a unique interface is presented to OPNsense)
B/ Apart from the mandatory LAN and a WAN, provide a trunk interface to OPNsense with all VLANs and define the other VLANs in OPNsense (subinterface of the trunk)

What are the advantages/disadvantages of each approach?

Advantages of A:
- Security: in case OPNsense gets breached, the VLANs that are not defined to the VM will not be visible

Advantages of B:
- When adding a VLAN, OPNsense doesn't need to be restarted

I'm sure there are more - any ideas?
E.g. is there an expected CPU overhead or speed drop with one approach vs. the other?
Or expected issues when moving OPNsense to a different system?

[bartjsmit]

I implement VLAN's as port groups on ESXi to connect easily to other VM's.

Bart...

[muchacha_grande]

I have about 10 VLANS connected as a trunk to OPNSense. VLANS are declared inside OPN. All other VMs are connected to access ports declared on the Virtual Switch. They know nothing about VLANs at all. The only VM that handles VLAN tagging is OPNSense.
I think is better in terms of configuration, because if you add, delete o chege a VLAN you can do it inside OPN and you don't need to change the virtual hardware.