Sounds likely to be the same issue I saw way back in 2016:
https://forum.draytek.co.uk/viewtopic.php?f=14&t=21296
. I went round the houses with DrayTek support and they eventually concluded that this behaviour was as expected. The DrayTek response was:
The engineers looked into the mechanisms that are responsible for the vlan traffic. They have concluded that the design of it is meant to be for the multiple MAC address destinations rather than one.
For example, when a PC is set with two vlans configured on the same interface the destination MAC address of two traffic paths are the same (wireless to port2 PC & LAN4' traffic with port2 PC). In our mechanism, when we receive packets, we will record the source MAC address and some other information such like pid (a kind of port id) in our bridge table (one MAC address only has one pid).
When we need to send a packet, we will search the bridge table by MAC address and depends on its pid to find out the packet that I am going to send will need to add vlan tag or not. That is to say, if there are two kind of traffics that the destination MAC address are the same (one has vlan tag, the other doesn't has), the pid of MAC address in bridge table will keep changing and cause some of the un-tagged packet add the vlan tag incorrectly.
In my opinion this is a reasonably serious bug/vunerability as the expected isolation and hence confidentiality of VLAN traffic is compromised due to traffic leaking between VLANs. However no fix has ever been forthcoming from DrayTek.
Regards,
