Proxmox & Opnsense VLAN Configuration

[user2311]

Hello everyone,
I am currently trying proxmox with opnsense as a VM and trying to understand more the VLAN functions und firewall rules. I have made a config and it is working but I am asking myself why some things work and some don't. Maybe one of you can answer them. 
1. Why am I able to connect to the firewall and proxmox when my PC on switch port 5 is VLAN 10 untagged but the port 2 (Switch -> proxmox) is tagged VLAN 10?
2. When I put VLAN 10 untagged on port 2 and tagged vlan 20 & 30, I can't connect to the firewall or proxmox anymore.
3. I want to add new WLAN SSIDs called Users (e.g VLAN 11) and Guest (VLAN 12) on the access point. Do I need to add new linux bridges and linux VLANs? If so, do I need to make the bridge vlan aware? And on the opnsense VM: I would have to add the bridges to the network settings and add a VLAN tag (VLAN tag 11 and 12) to them right?
4. In the 192-168-178-0/24 network, the firewall is reachable with its WAN ip-address 192-168-178-254. Isn't this a security risk since it's reachable from the 192-168-178-0/24 network?
5. How does my current setup work when the opnsense VM doesn't have VLAN tag 10,20,30 assigned in the network settings?
This is my proxmox setup:
/etc/network/interfaces
auto lo
iface lo inet loopback
iface enp1s0 inet manua
liface wlp2s0 inet manual
auto enp1s0.10
iface enp1s0.10 inet manual
#LAN VLAN 10
auto enp1s0.20
iface enp1s0.20 inet manual
#WAN VLAN 20
auto vmbr0
iface vmbr0 inet manual  
bridge_ports enp1s0.20    
bridge_stp off    
bridge_fd 0
#WAN → no IP-Adress
auto vmbr1
iface vmbr1 inet static  
address 192-168-100-2 
netmask 255-255-255-0 
gateway 192-168-100-1 
bridge_ports enp1s0.10 
bridge_stp off    bridge_fd 0 
bridge_vlan_aware yes 
bridge_vids 2-4094
#LAN → Management-Access
I have added some screenshots of the configs.
If you need any more information, let me know. Thank you for any help :)

[user2311]

https://ibb.co/vvxCv7j2
https://ibb.co/DDXYCSQk
https://ibb.co/ynsn12f8
https://ibb.co/gZ4sH8TF
https://ibb.co/cKtmSJTJ
https://ibb.co/9kk21NKV
https://ibb.co/bM5Jc5bL
https://ibb.co/twQW7pg5

[viragomann]

1. Why am I able to connect to the firewall and proxmox when my PC on switch port 5 is VLAN 10 untagged but the port 2 (Switch -> proxmox) is tagged VLAN 10?

This is how VLANs work.
The switch port 5, which your PC is connected to, is assigned to VLAN 10 as untagged. Means, it tags incoming packets and removes the tag of outgoing ones.

The switch port 2 hands out the VLAN 10 packets as tagged. It doesn't tag incoming packets.
Proxmox is configured to remove the VLAN tags of incoming packets and add tags to outgoing. To this VLAN the virtual bridge is connected and Proxmox has an IP on it and OPNsense is connected to. So you can reach both devices.

2. When I put VLAN 10 untagged on port 2 and tagged vlan 20 & 30, I can't connect to the firewall or proxmox anymore.

Proxmox only expects tagged packets on this interface.

3. I want to add new WLAN SSIDs called Users (e.g VLAN 11) and Guest (VLAN 12) on the access point. Do I need to add new linux bridges and linux VLANs? If so, do I need to make the bridge vlan aware? And on the opnsense VM: I would have to add the bridges to the network settings and add a VLAN tag (VLAN tag 11 and 12) to them right?

First of all you should reconsider you setup.

When configuring VLANs for a virtualized router, there are two way to do this:

• Either you can do all the VLAN terminations, tagging and untagging on Proxmox. In this case you have to add all VLANs on Proxmox and connect separate virtual bridge to each.
  Then add a virtual interface to the router VM for each VLAN and connect it to the respective bridge.
  
• The other way is to terminate all VLANs in the router VM.
  In this case you need only a single bridge for all in Proxmox, with "VLAN awareness" enabled. And as well you only need a single interface for all VLANs for the router VM, and configure the VLANs inside the router.