To lay some foundation, a VLAN is akin to a separate network with separate Ethernet cables. That provides isolation between machines on different VLANs, but it also means each VLAN must be provisioned with routing, so as to reach destinations outside the VLAN.
Routers like OpenWRT often treat VLANs as if they were distinct NICs, so you can specify routing rules such that traffic to/from a VLAN can only be routed to WAN and nowhere else.
At a minimum, for an isolated VLAN that requires internet access, you would have to
define an IP subnet for your VLAN (ie /24 for IPv4 and /64 for IPv6)
advertise that subnet (DHCP for IPv4 and SLAAC for IPv6)
route the subnets to your WAN (NAT for IPv4; ideally no NAT66 for IPv6)