If one or both of them connect using WiFi then have them connect to a guest network and block access to Intranet.
If they connect using an Ethernet cable you are going to need to setup a VLAN. If his isn't possible using the GUI, search this forum you will find numerous discussions of how to write or adapt a script to do what you want.
Depending on what router you have and if Tomato is available for it you could flash Tomato and then setup VLANs using the GUI.
Finally the simplest but perhaps less elegant method is to setup VLANs for wired clients is to add a managed/smart switch to your network for US$28 (TP-Link SG108E).
Thank you, this is good thinking outsidethebox solutions, thank you.
A question that arrises for me would then be, would being on the guestnetwork still enable the client to connect through my VPN? Which is setup now
If a device is connected to the guest network depending how your VPN is setup some or all clients would use the VPN tunnel. I have policy routing selected so some of my IoT devices use the WAN & others route using one of two VPN clients I have running. All my IoT devices connect using either a guest network. Then for ones using WiFi the connect either using a 2.4 Ghz channel or a 5 Ghz channel. This is done using Merlin 384.14.
If you use ASUS stock firmware or set your router up with Merlin and then select route all traffic on VPN, then all regular and guest devices will use the VPN tunnel.
Welcome To SNBForums
SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.
If you'd like to post a question, simply register and have at it!
While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!