Yes, NG Firewall support both tagged (802.1q) VLANs and untagged VLANs.
Untagged VLANs are just separate networks on the same interfaces and can be handled by
- Adding an alias to the appropriate interfaces (ie 192.168.15.1/24 to the Internal Aliases), effectively telling NG Firewall that this network range is local on this interface.
- Adding a route so traffic for that subnet is routed appropriately (ie 192.168.15.1/24 is routed to "local on Internal (eth1)"
Tagged VLANs are handled by creating a separate VLAN interface in Config > Network. All traffic received on the configured Parent interface with the configured VLAN tag will be perceived to come from the VLAN interface. All traffic sent to the configured VLAN interface will actually be sent on the Parent interface with the configured VLAN tag.
See Network Configuration - VLANs for more information.