> Are you sure it's not tagged ? Don't you see them also on vlan1 ?
> Some fxp devices support hardware 802.1q, and in this case tcpdump
> doesn't show you the vlan tag for packets received.

Yes; incoming is only seen on the physical.  tcpdump(8) show no tag. 
Outbound is seen in tcpdump(8) on both the logical (w/o) and physical
(with the tag).

Essentially the answer is: Don't use VLAN1 to isolate insecure devices. 
Each vendor has different uses for it.

More insightful discussion at:
http://marc.theaimsgroup.com/?t=113459493000002&r=1&w=2 from tech@

Thx everyone.

~BAS

> > [...]
> > So it seems that NetBSD has some "magic code"(r) to deal with the native 
> > VLAN, because most admins assume that a VLAN router can see a VLAN1 
> > interface on a trunk regardless if the packets are tagged or not.
> 
> Packets received from an interface are passed to the IP stack, and
> the IP stack won't check the interface the packet came from, unless
> you set net.inet.ip.checkinterface to 1 (weak host model vs strong
> host model - both have pros and cons). So you could receive the packet from
> any interface (physical, or another vlan), it would be processed,
> it's not something magic with vlan1.
> 
> OpenBSD may have a different default for net.inet.ip.checkinterface (if
> it's possible to choose at all the behavior on openbsd)