You add a new VLAN, say with ID 3. CPU will be tagged as you have for VLAN 1, whichever port you want you set it to untagged (and the same port will be off for VLAN 1), and the WAN port will be off.
Then you create a firewall zone for it. You are likely to want to copy the LAN zone, except that you will probably want to block connections from that subnet (if it's a first neutral for example) to the LAN zone.
You go to interfaces, create an interface for the VLAN you just created (i.e. eth0.3) and set the IP, DHCP Server settings etc.