Tagged and untagged vlans question [SOLVED]

Started by tiksustis@gmail.com, November 17, 2025, 10:46:22 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
November 17, 2025, 10:46:22 AM Last Edit: November 17, 2025, 11:36:28 AM by tiksustis@gmail.com Reason: [SOLVED]
Hello everybody,
I have a question regarding tagged and untagged vlans on opnsense.
In the documentation it states that mixing tagged and untagged vlans on the trunk is not supported and leaking might occur, plus recommends creating a "sacrificial VLAN" for untagged traffic. (https://docs.opnsense.org/manual/how-tos/vlan_and_lagg.html#vlan-and-lagg-setup) .

We have the opnsense router as a vm in a vmware cluster that connects to our physical switches through trunks that utilize and use the native vlan (1) .
I was wondering if it is a valid configuration if I create my opnsense router with the following:

-1 interface connected in an access port (vlan1) where traffic from the native vlan flows

-1 interface connected as trunk (using vmware vlan 4095) so that opnsense sends tagged traffic only through multiple subinterfaces (one per vlan).

The first interface will be used for communication with the native vlan, and the second interface will not use vlan1 at all and will be used for communication with all the other vlans only through subinterfaces and tagged packets.
I can not figure out from the documentation if this is a valid configuration or if there will be leaking from the second interface in the native vlan for some reason. In a test environment everything seems to be ok.

Eth0 -> vlan1 untagged packets

Eth1.10 -> vlan 10 tagged packets
Eth1.20 -> vlan 20 tagged packets
Eth1.30 -> vlan 30 tagged packets
...

We can not abandon the untagged vlan (vlan1) , and cannot configure an unused vlan due to the machine being a vm and using the virtual switches of the esxi hosts which have to be common for all vms.
Thank you for your input and time.
November 17, 2025, 11:08:43 AM #1
It should not be an issue if tagged and untagged is not mixed on the OPNsense on the same network interface.

If your trunk only has vlans configured on the OPNsense, then untagged frames are not evaluated on the port, as long as you don't actively use the parent interface of the VLANs.

By using a second interface for untagged, you are most likely good.
Hardware:
DEC740
November 17, 2025, 11:35:30 AM #2
I suspected as much but wanted a more expert view before moving it to production,
than you for your time
Print
Go Up Pages1
User actions