[mwimpelb]

My goal here is to have one device on my network that can only access the internet and nothing else on my LAN. My approach to this was to create a separate VLAN, assign it a subnet and DHCP range and then write some iptables rules to prevent communication from that subnet to the other subnet. I'm not sure how within one device the gateways work though, would the default gateway of 192.168.5.1 for the new VLAN5 still route to the internet, or does the gateway still have to be 192.168.1.1?

I saw this guide, but the iptables commands specify vlan+ which would be layer2.

[Per Yngve Berg]

You are on the right track here if the device is wired to the router with a cable.

The client's gateway shall be the router's address on the interface the device is connected to. Traffic between the VLANs are done through L2 routing.

PS. VLAN is very chip-set dependant (Broadcom, Atheros, Marvell etc.). See the corresponding forums on how to do this.

[mwimpelb]

I was able to get this working with the attached screenshots.