(no title)

Behind this, any pirated server could decide to send VLAN tagged packets that may go trough the firewall if the rules are bad, or read any of them arriving to it.

VLAN's are useful if you want to "tag" packets with ID's going trough specific interfaces for segmentation purposes. The tag is applied from the interface standpoint, so this gives a virtual segmentation between ports of machines you are supposed to always control, like between a port on your router and ports on a managed switch.

In this case VLAN's are configured on the router's interface and the switch interfaces, but the exposed server is not aware about it, and can't change it, so you can know the ID is right.

This is often believed this is required to isolate networks, this is wrong, you just need to have separate interfaces.