That’s one way to “imagine it”, but what happens inside the switch is probably different in reality, the IEEE 802.1Q spec says nothing about how a switch works internally, it just describes a “bridge” as a black box that must behave in a specific way externally. I like to use the word “classify” instead of “tag”, because tags are something that are used on the wire to keep ethernet frames for different vlans distinct from each other. All the switch does internally is to keep vlans separate from each other, you can think of it as 4094 lanes that only allow traffic for a single vlan each. Many implementation also limit the number of vlans that can be used at the same time, for example up to 64 unique vlans chosen from the 4094 possible choices (1-4094), 0 and 4095 are reserved for special uses. The PVID just specifies what vlan untagged packets received on a port will be associated with. Usually the PVID is also a clue to the switch that when it transmits an ethernet frame for that vlan, the frame will be transmitted from the port as a standard untagged ethernet frame.
Were you hoping only the ether6 port would be affected?
Turning on vlan-filtering changes the way the bridge/switch works.
Until you enable VLAN filtering, the PVID and other vlan stuff is ignored. It’s like a port being connected to a dumb switch. The bridge operates in vlan-transparent mode, it doesn’t examine the ethertype field in the ethernet frame (the 2 octet field that follows the src mac address in the ethernet header); it just passes the frames through unchanged, so you can still have tagged packets pass through the bridge to be interpreted by an external vlan aware device like the UAP, or a vlan-aware switch. Internally in the non-vlan-filtering switch all frames are in a single lane (broadcast domain).
When vlan-filtering is enabled, the switch starts to pay attention to the ethertype in addition the mac addresses, and if the ethertype matches 0x8100 (the tag protocol id), then it knows that this is a tagged ethernet frame, and that it will find the vlan id and priority info in the next two octets, and then the original ethertype in the following two octets.
But once vlan-filtering is activated, then only those vlans explicitly allowed will egress through a bridge port.
Was the TV streaming over wireless? If it was using a vlan interface, once you turned on vlan-filtering, any frame with vlans not explicitly allowed will be dropped (filtered out).
BTW, you should be able to set the ethernet address of ether8 without making it a separate bridge. Unless your ISP is providing you with multiple vlans on the Internet side (each with a different service like VoIP, IPTV etc), then I would remove ether 8 from the bridge and just use it as a dedicated ethernet port. See this @normis post about how to achieve this.
Learning new things is good! And having a mix of different devices, each with a different way to configure will lead to a much better understanding, but it will take more effort.
The SwOS is pretty easy to setup, and the examples are pretty clear in the documentation, given you understand the difference between an untagged (implicit) vlan and a tagged (explicit) vlan.
I think you can get it to work, but you will need to at a minimum, configure the the RB5009 SFP+ port so it will pass the vlans to the switch in the same manner they are currently being sent, the base vlan untagged and the GuestIoT tagged. As long as you have the trunk ports sending the same vlans tagged and untagged, then things should work the same when vlan-filtering is enabled. You may want to remove a port from the switch (perhaps one of the family pc’s and then you will have access to the RB5009 and not get locked out. Next setup trunk on eth1 to the RB260 switch.
Also, I think you need to add your vlan interfaces to the LAN list as members.
@anav has helped many people, he will probably have some suggestions about your firewall as well.
Good luck in you learning journey.