As sdifox said, it usually depends on the situation. I prefer to not have VLANs defined on the router/firewall if that is your connection to the outside internet. You want to limit what an attacker could access, and by having the VLANs applied from the core switch to the router, you can better defend against this situation as you have to assume they could then redefine the VLANs (or even just view them) to more quickly gain information and compromise your network.
I have a router-on-a-stick setup, so even more complex, but I have 2 VLANs defined on my core switch that I pass through as a trunk to the network port that my router uses. One is for the external WAN VLAN (which has another port on my core switch which is connected to the cable modem, with that port assigned directly to the WAN VLAN), and the other VLAN is effectively called the TRANS-LAN VLAN. No other ports on my core switch have the WAN VLAN passed to them.
I have a default deny rule in the core switch (which is really a layer 3 switch, thus it is a router). I have other rules defined for my other VLANs such that if they need internet connectivity, they are allowed to route to the TRANS-LAN VLAN and vice versa. This way I can prevent devices from reaching the internet based if they have a rule to access the TRANS-LAN VLAN or not and I created various VLANS for segmenting different items from themselves (this is mainly all due to Internet-of-Things devices, like IP based smart-home devices because we know how well security is kept up-to-date on these kinds of things, so if it doesn't absolutely need the internet, it isn't able to connect).
Facebook
Twitter