Do I need a LAN interface once all my traffic is managed via VLAN?

[Could]

Hi,

I am wondering if I need a LAN interface (I mean the default LAN interface created by OPNSense) defined once all my traffic is managed using VLAN networks, so I guess/expect there should be no traffic going through this interface.

I can only see the LAN network could be useful in case something goes wrong and I need to connect directly to the firewall bypassing my switch, but I feel like I am missing a huge detail here! 

P.S.:
Actually I am thinking to use VLAN over LAGG, so default LAN interface seems to be even more useless, but again, I feel I am doing something wrong.

[Patrick M. Hausen]

LAN is just a symbolic name. You can assign that to one of your VLANs if that makes sense. Or delete it altogether.

I have all VLANs internally and they are named

LAN
WIN
SRV
RPI

respectively.

[meyergru]

What the OP is really asking is if it is advisable to remove all untagged interfaces from OpnSense.

For normal operation, this is totally fine, BUT:

For catastropic hardware failures, you would deploy a new hardware (or harddisk) with a default configuration, thus you need to connect to the device untagged again. So, you need to keep a means to access a physical untagged RJ45 port. That could be a PC which has an RJ45 port or an untagged port on your switch that is on the same network as your configuration client in case that connects via a tagged WLAN.

If your switch fails, you would probably replace it with another managed one - probably of the same type so you can restore the configuration. This can get messy with modern systems like Unifi. You better keep an eye on where you keep the configuration backups so they are not out of reach (like in the cloud or on your own network which you cannot reach at that time).

All of this is probably a bit harder with VLAN-only, but planning ahead of time is always a good idea.

[Could]

Exactly (sorry if it was not clear) what I meant was if it is ok to remove all untagged interfaces, also the default one (called LAN) so you can access to the network only through a VLAN tag.

So it is anyway better to have at least one untagged network just in case, and maybe create some strict firewall rules in order to reduce vulnerabilities.

[meyergru]

You might as well create a "management" network which is untagged (aka the parent interface of all your VLANs) and can reach your OpnSense GUI and to which nothing else is attached.

In practice, though, you often have "trunk" ports for switch interconnections and APs. Those are vulnerable, because anything that is connected to them has management access. Without port security, that is.