The first VLAN Bridge Filtering configuration works properly. Lan1 provides connectivity to multiple switches across a Devolo powerline, and those switches separate out VLAN traffic correctly. Note that vlan10 is untagged on extsw, and this functions as expected (see below).
But when I try to connect a machine directly to lan4 on vlan20 (middle image), although that machine has untagged connectivity, it breaks tagged connectivity to vlan20 on lan1.
The only workaround I've found (third image) is to set lan4 as a tagged port and the primary vlan ID, but I don't think this is satisfactory because it effectively mixes tagged and untagged traffic on the same port, which we already know is bad.
The Realtek switch seems to accept both tagged and untagged ports over the same VLAN but the four ports cannot be separated; the Broadcom switch allows for individual configuration but seems to have issues with this kind of mixed mode.
I'm a recent convert from DD-WRT and previously had issues getting VLANs to work as a single subnet over both wired and wireless, which was blamed on Broadcom. I suspect there is an issue here with the Broadcom (closed source?) drivers.
Is this likely to be Broadcom related?
Are there any known workarounds?
Am I right not to want to allow tagged and untagged traffic on lan4?
Yep Broadcom is an issue as closed source drivers. I doubt this will ever get better tbh I'm considering a new router. But in your pic what device is attached to LAN4? The fact tagging it makes it work makes me think it's a client that doesn't tag (Windows / Linux laptop or desktop)? In which case this is correct - as for primary vlan, this is the same concept a Native VLAN in Cisco world (as I understand it).
OneMarcFifty does some great VLAN youtube videos https://www.youtube.com/@OneMarcFifty on the subject, might be worth have a watch and see if that helps.
Correct: it's a Windows 10 box which happens to be close enough to the router that it can be wired straight in. So, as you rightly surmise, it's a client that doesn't tag.
It also only works when Primary VLAN ID is enabled on that port. If I just set it as a tagged port with no asterisk, there is no connection. This makes me question whether this is such a bad workaround after all. Does this not simply cause untagged traffic to be assigned to vlan20, which is what I want anyway? If there were multiple VLANs on this port then I could see the issue but traffic on the wire is restricted to the the specific, required VLAN.
If I'm right (and I may very well not be), there's little practical difference between an untagged port versus a tagged port with a single VLAN which accepts untagged traffic ... except to keep the Broadcom chipset happy.
That said, I'm still a bit new to VLAN tagging and could be very wrong. I've been following Fabian Lee's helpful guide but the content itself is credited to OneMarcFifty, so thanks to your nudging I will go research some more.
