You're spot on. The general process would be: - Create new vlan - Exclude the new vlan from site-to-site VPN - Create L3 firewall rules blocking communication from the new vlan to your existing one. This can be any explicit deny rule with the source of the new subnet and a destination of the existing one, or simple a rule denying all 3 private IP ranges from the new subnet (for easy future proofing). - Connect wife's PC to new vlan with an access port
... View more