I'm no expert but that's all I use on my WAP which also has VLAN.
Probably shouldn't use Net Isolation on the VLAN & WAP....at least turn it off to see what you have.
Might be better to isolate with other rules.
I don't use it on mine but I only have 2 ports config in the 192.168.1.0 strictly used as a switch for debricking my screwups.
Net Isolation does not always work as you might expect on a WAP or when used if br1,br2, br.. also in the config
Then with the additional firewall rules I made sure all the "Guest" will behave well
iptables -I FORWARD -i wl0.1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
iptables -I FORWARD -i wl1.1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`
At the end I think one could have setup a NEW bridge and configure that ... however this was more straight forward ... using many build-in options.
Many thanks to the volunteers, who make the DD-WRT community what it is!