You'll need to create a separate firewall for VLAN_LOCAL. "IN" deals with traffic going to other LANs, "LOCAL" deals with traffic going to the router itself.
The trick here is that you will need to allow some limited traffic to the router, namely DNS traffic (other wise the internet won't work). Set up a new firewall ruleset (VLAN_LOCAL), apply it to your VLANs with the local direction. Default action drop, rule 1 allow TCP/UDP port 53 to the router.
