Routing – VLAN tagging, routing, and general pain

To everyone who takes the time to read below, thank you very much.

I want to start this off with the very general question and then give my exact situation. I really don't understand the terminology 'tag egress packets' vs 'untag egress packets' when it comes to setting up VLANs. As far as I was always concerned, tag meant that the switch was manually enforcing a VLAN tag on every packet that came into that port (placing the tag on itself) and untag meant that it wasn't. This goes back to one of my first bosses, who told me you could only have one tagged VLAN per port. I'm pretty sure this is wrong now, but I wouldn't mind figuring out exactly what that refers to. I'm currently operating under the assumption that tag means it accepts tagged packets for that VLAN and untagged means that it accepts untagged packets and places it into that VLAN (Probably the Primary VLAN ID). Of course, that could be complete bunk.

My Situation/Problem

The network infrastructure is currently running all NetGear Prosafe switches (not my choice, but until we do the upgrade later this month, I get to work with them) as well as one NetGear router. We are using Aerohive Access points to create a Campus wireless network.

I'm basically going through, ripping out the existing SSIDs on the Aerohives and looking to replace them with a better option. The aerohives aren't the problem, I can configure them with my eyes closed.

What I do have is three VLANs I want to create, to separate three different classes of users onto three different subnets. The Aerohives will assign 2220, 1135, and 2135 based on the user and SSID used. For right now, I'm focusing on 2220 as a test case. I have configured a new DHCP scope on the DHCP server (192.168.5.0/24) and have configured every port along the path with the tag egress packets option for the new VLAN. I have also added in a special routing port (even though I have high doubts it's needed at all).

The Problem

I don't receive DHCP on the network and when I do a VLAN probe for 2220 it shows up as not having a subnet. I really just don't know enough about VLAN routing and especially these NetGears to get why the DHCP requests do not get to the DHCP server.

Clarification

For right now there are only two switches between the DHCP server and the access point. The DHCP server, being on a different subnet, likely isn't contacted directly, but I'd likely expect the following to happen.

AP > Switch 1 > Router > Switch 2 > DHCP server

Yes, the router port I setup for the new VLAN is connected to the same switch as the AP is. Ideally, for this test case, I think I would only need to configure about 3-5 ports.

Edit

After reading the below answers I tried the following and wanted to add a bit more clarification.

Switch 1 – Port 03 VLAN 3030 untagged, VLAN 2220 tagged, Primary VLAN 3030
3030 is the management interface VLAN and is needed for the AP to communicate so I can't really change the primary.

Switch 1 – Port 09 VLAN 2220 untagged, Primary VLAN 2220
This heads off to the router. I get the feeling I should be able to just tag all three VLANs on this one port eventually and have the router deal with them in trunk mode.

Router – Port 05 VLAN 2220 untagged, Primary VLAN 2220. VLAN routing interface 192.168.5.1, 255.255.255.0. DHCP helper relay is setup for the DHCP server. For reference, the DHCP server is on the 192.168.1.0/24 subnet. Note: This model of netgear does not let me configure an IP for the physical port, just for routing ports you create.

Switch 2 – Port 05 This is the Hyper V host port and where I start getting confused. We have another subnet setup exactly the same way (not created by me). The port itself has only VLAN 1 untagged and primary. So, I don't think I need anything configured on the port. I just don't know if I'm missing something or not.

DHCP still does not seem to work.