LS300: Some hosts on VPN, some not

I’m trying to set up an LS300 to allow a couple of hosts access to an IPSec VPN tunnel while leaving a couple of other hosts OFF of that VPN tunnel but still allow them access to the internet.

Someone suggested using a separate VLAN for the non-VPN hosts which would separate the hosts groups from one another as well and that would be ideal but I haven’t had much luck. Can anyone point me in the right direction?