I'm testing this idea as a setup, what are the flaws?
I have proxmox setup on a machine with 2 network cards. Apache Guacamole is installed, and it has access to the 3 separate LANs, but they are never actually joined. There ARE 2 NICs joined on a physical machine, but they are never networked together (?).
I'm not sure the logic works:
Apache Guacamole is like remote desktop in a browser, but can do much more, like SSH.
The NICs never interact with each other on the virtual machine. The 2 NICs are there to establish connections only, and the connections are not only remote, they are segregated from each other as you are simply "viewing" the virtual machine on a segregated network via HTML5 and a browser.
With this setup I can access any machine from my desktop while it remains strictly on it's 10.x LAN with no connection to the 176.x network.
The last thing left is file sharing. I poked a share in the DMZ using SAMBA, and it works.
For the moment, here is an example of what this can do:
Via a browser, I can access a remote machine on my DMZ which I use specifically for email. My email and any potential risks stay in the DMZ, and I can selectively pull or push attachments via a file share. I can also drag and drop, but have not flushed that out as it seems a browser crash waiting to happen. The benefit of this is I never interact with email behind my LAN anymore, it never leaves the DMZ, so if I need to click a link, or finish a signup, or anything, its always in a VPN environment segregated from my network.
Edit: I guess I failed to put forward a thesis on my this approach is better than doing it at the router. The router is a hacking target and provides easy tractability of the network. Using 2 segregated NICs, the connection between the networks is obscure because not even the router being probed knows about the other network unless it appears in ARP somehow.