Tagging: Normally a frame coming in with a particular tag (e.g. VLAN 13), will be retagged with the same VLAN on the way out. A VLAN-unaware router will ignore a tag, route the packet without a tag, and the packet is free to enter a different VLAN if the route requires it.

On the first point: is this inter-VLAN routing works when the switch is in L3 mode, is there anything that needs to be done in the configuration to allow this routing, or is the routing done by connection? The reason I ask is that in the short tests I have done, the client can ping each IP on the L3 switch, but no devices connected do the switch through any of the other subnets/VLANs

In L3 mode the switch becomes a router and will route by default.  do sh ip route on your L3 switch and you will see directly connected routes. You would have to use ACLs to block inter-vlan routing if you wanted to for a guest VLAN, etc.  In your tests were the default gateways for the host devices the VLAN interface IP address?  I suspect maybe not.

A VLAN unaware device should ignore or drop tagged packets and only use the native VLAN.  Typical example is a trunk port for an IP phone and computer.

interface gi10

switchport mode trunk

switchport trunk allowed vlan add 100

switchport native vlan 10

If you plug a PC into the port it will only see an communicate on VLAN 10.  If you plug an IP phone or a trunk port on another switch it can communicate on both VLANs.

Is that what you are getting at?

I would step back a bit and think about your design requirements.  What kind of firewall are you using?  I often prefer to route through a firewall for a variety of reasons including ease of management and applying policies and visibility to traffic.  You can create ACLs and setup RMON, etc on a switch, but it is often easier/better to do on the firewall and just leave the switch L2.

"In your tests were the default gateways for the host devices the VLAN interface IP address?"

Yes. And doing so allowed a return ping from all of the other interfaces on the L3 switch, but not from any of the devices in those other subnets. It was as if the other interfaces were acting like end devices, and they didn't know they were router interfaces. I would liked to have been able to set a route for each one of them like:

route 192.168.0.0 /24 192.168.0.1

route 192.168.1.0 /24 192.168.1.1

route 192.168.2.0 /24 192.168.2.1

route 192.168.3.0 /24 192.168.3.1

on the L3 switch, but I can only specify routes to different devices on the unit.

Using the firewall to route: I'm really trying to get the behavior of the SG300 in L3 mode understood. Once that is clear, I can make better decisions about what to use where. So far, it is not behaving like I expected, and there have been indications by others that this may need assistance from another connected device to set the routes for the subnets.

I looked at your config again and I can't see obviously what's wrong, but to not make any assumptions let me go through a test (that you may or may not have already done.  This is based on the config snippet you provided in the first post and test should be performed on the first switch only.

I'll assume gi1-2 are available on your L3 switch.

interface gi1
  description VLAN12PC
  switchport mode access
  switchport access vlan 12

interface gi2
  description VLAN13PC
  switchport mode access
  switchport access vlan 13

now a pc on gi1 can have IP 192.168.2.99/24 and default gw 192.168.2.1

a pc on port gi2 can have IP 192.168.3.99/24 and default gw 192.168.3.1

192.168.2.99 and 192.168.3.99 should be able to ping each other.

If this works you should be able to do the same on the L2 switch as long as your trunk port is connected and vlans tagged on the connected trunk ports.