Ah, okay, that makes sense, except...
The VLan tagging is happening on a Tomato router upstream. Perhaps I'm just missing a crucial concept, but EdgeOS doesn't seem to let me create a firewall group or interface for packets from an upstream VLan, coming over the same LAN interface but tagged, as non-VLAN packets. It seems to want me to dedicate a port to a VLAN. Is there an easy way to state, "This VLAN name is associated with this tag"?
It's an ERL3, so not sure which functionality from the manual really applies; they have a lot of it in there that they specify as applicable to just a subset.