I think you could take some inspiration from a different scenario (but not so different from yours).

I’ve asked in the past here
The scenario was for TWO ethernet cards (one is WAN and the second manages multiple VLAN with a VLAN capable switch), where just one VLAN was visible to the others (#198 in my case).

Maybe this could help…. I hope!