My theory that you'll need a dedicated machine to access the internet is more true by the day.
Is that machine also going to be segmented on a private VLAN?
Is that machine also going to be segmented on a private VLAN?