My primary VLAN (110) gets out to the universe just fine (scr natting box checked), no worries there. I created a new VLAN (112) for the full tunnel VPN (also src natting box checked). I gave its role an allow all rule for spin up/testing. When connected to the full tunnel VPN, I can indeed access other internal VLANs, including my primary and all of its assets, but cannot get out to the internet.
So, the default routing works for VLAN 110 but not for VLAN 112.