Wow. Minefield.
All my VLANs terminate at the LinksysWRT router. The PPP VLAN from the ISP, the LAN, GUEST, etc. etc. So obviously the firewall lives there too, all access switch if's are untagged 1 VLAN only and everyone lived happily ever after.
I "upgraded" to a virtualisation environment host (VE) and recently added a "publicly accessible service" (PAS). Initial testing has been done with this PAS running in a container on a LAN subnet address on the VE host.
I don't like this. While the main router is responsibly for firewalling the inbound traffic absolutely fine, the issue lies with the worst case of a red guy gaining shell on that container giving them unfirewalled access to the LAN... possibly.
Firewalling between subnets/VLANs can be bypassed entirely by inter subnet, cross VLAN traffic accepted between bridges on the VE. Usually they are set up to forward between all possibly VLANs and networks, so you can create random environments. So it is also therefore essential you treat such hosts which "share" or "materialise" more than one VLAN into an IP stack are considered routers and/or firewalls.