I've been studying swconfig code and I think I understand how it works. The user can specify which ports are in a VLAN. Typically you'll have two VLANs, LAN & WAN.
Typically each VLAN will have one port connected to the CPU. This port tags frames when transmitting to the CPU. This way Linux can use virtual VLAN devices to demux the packets to difference interfaces for each VLAN.
If that is correct, the only part that confuses me is the physical ports will typically not tag the frames going out. That makes sense, but surely doesn't that stop it being a VLAN? Is this type of VLAN usage unique to OpenWRT?
On OpenWrt, to use a switch, you have to have a VLAN...that's pretty much the same on all networking equipment. A port can be TAGGED, UNTAGGED or DISABLED.
Sounds like you're thinking along the right lines. As @lleachii points out, the switch can be configured, on a port-by-port basis, to either strip the tag from a given "internal" VLAN, or to pass the tag out "on the wire".
Since most consumer devices aren't "VLAN-aware", typically "untagged" is selected for the "WAN" and "LAN" ports in default configuration.
In my "world", everything is tagged, as I run several isolated VLANs. Stripping of VLAN tags and use of PVID, where needed, is pushed out to the switches that are directly connected to devices, or implicit in the use of WiFi (which, over the air, doesn't "understand" VLANs).
Another thing to remember is that when an untagged packet reaches a switch, it is assigned the PVID for the port (or, if so configured on a switch capable of doing so, rejected). This can be a "well known VLAN", such as one that will be recognized by a phy connected to or on the SoC, and/or by other devices in the network. It can also go to an "internal-only" or "black-hole" VLAN -- one that only the switch uses, that gets stripped off when/if the packet exits the switch.
I could, for example, use VLAN 1234 as the PVID on ports A and B, marking VLAN 1234 as "untagged" on ports A and B, effectively "wiring" the two together for untagged packets.
4095 is commonly used for the black-hole VLAN on enterprise-grade switches, as it is not permitted to be transmitted over the wire. 0 is also a "reserved" VLAN, for other reasons.
I thought that sending packets out untagged would counter the entire point of the VLAN.
I now understand that VLAN is not just tagging but a policy feature of the switch. So the switch can enforce a VLAN using just the ports without the VLAN.
The tagging aspect is to get a VLAN to cross multiple switches (aka infrasturcture) as well as other use-cases such as the OpenWRT one.