TP-Link TL-SG108E - VLANs to separate one device from all others
The segregation you are asking for is what Multi-Tenant Unit VLAN is good for. Quoting the help text in the switch configuration:
MTU VLAN (Multi-Tenant Unit VLAN) defines an uplink port which will build up several VLANs with each of the other ports. Each VLAN contains two ports, the uplink port and one of the other ports in the switch, so the uplink port can communicate with any other port but other ports cannot communicate with each other.
So you could use that and configure port 1 as the uplink port. Unfortunately that also means that ports 2 through 7 cannot communicate with each other.
If you need ports 2 through 7 to communicate, you need to look at other options, because the Multi-Tenant Unit VLAN feature does not appear to be flexible enough to allow that.
Port based VLAN as you have noticed cannot do what you want either.
That leaves tagged VLANs as your last option. But having a port be an untagged member of more than one VLAN is problematic because untagged frames sent to the switch could be intended for any of those VLANs, and the switch cannot know.
Instead what you should do is to make the uplink port to the router be an untagged member of no more than one VLAN and a tagged member of the rest.
On the router itself you also need to configure the same VLAN tags such that the router will know which VLAN a packet originated from and the router can tell the switch which VLAN a packet is for.
On the router this will look like two virtual network interfaces connected to the two different VLANs. And the recommended configuration is to have the router use different IP prefixes for the two VLANs.
Your desired setup is definitely possible on this device. "Port Based VLAN" is not sufficient as it doesn't allow one Port being member of several VLANs. With "802.1Q" this is possible. My setup, which I had running on exactly this device, was more or less identical to what you would like to achieve.
My setup:
Portnum Device Member of VLAN VLAN-ID INCOMING FRAMES GET ASSIGNED (PVID)
--------|----------|----------------|-----------------------------------------
Port 1 Router 1,2,3 1
Port 6 Device A 1,2 2
Port 7 Device B 1,3 3
With this configuration, Port 6 and 7 are seperated from each other. Both can communicate with Port 1, but not with each other.
Explanation: Ethernet frames entering Port 6 get pushed onto VLAN 2. As Port 1 is member of VLAN 2, they can leave through this port and thus reach the device behind it (Router). They cannot leave through Port 7, as it is not member of VLAN 2. When the router wants to reply, its ethernet frames, which enter through Port 1, get pushed onto VLAN 1. Port 6 is part of VLAN 1, hence they can leave through this port. They could leave through Port 7, but as the frames do not carry the MAC address of the device behind it, the switch has no reason to make them do so.
Please find screenshots of my working setup below.