Virtual wire interfaces by default allow all untagged
traffic. You can, however, use a virtual wire to connect two interfaces
and configure either interface to block or allow traffic based on
the virtual LAN (VLAN) tags. VLAN tag 0 indicates untagged traffic.
You can also create multiple subinterfaces, add them into different
zones, and then classify traffic according to a VLAN tag or a combination
of a VLAN tag with IP classifiers (address, range, or subnet) to
apply granular policy control for specific VLAN tags or for VLAN
tags from a specific source IP address, range, or subnet.