On the catalyst , interface vlan is needed only for management purpose ( telnet , ssh, ..) , as well as the default gateway is needed for remote management (different networks).
btw , very fast solution (not the better ) , on the zeroshell , router , nat , nat enabled interfaces , ETH00. In firewall , forward chain , 1st rule
in ETH00.2 out ETH00 proto all s. ip 192.168.20.0/24 d. ip 192.168.194.0/24 action DROP
the defaut gateway for PC’s in vlan2 is 192.168.20.1.
you should be able to ping the internet , surf the web , but no connect any pc/host in vlan1 .
But this is a very basic config ( just for try ), using the existing topology , I would suggest you something a bit different…
P.S. sorry for my english