I configured a VLAN to isolate one physical system. This is my first venture with a VLAN. What tests should I perform to ensure this box is isolated?

I am using DD-WRT in a Linksys WRT54-GL. I created a separate VLAN for port 4. This port is for a testing box that I want to keep isolated from my LAN. Mostly the box is used for testing distros. The system came with Windows 7 installed but I rarely use Windows.

My LAN is on subnet 192.168.1.x. The router is assigned to 192.168.1.1.

The port 4 VLAN is on subnet 192.168.40.x. The DHCP server for that VLAN assigns addresses starting at .102. The VLAN is not bridged.

My nominal testing with the installed Fedora 22 and a LMDE live USB indicates the system is correctly assigned an IP address of 192.168.40.102.

I can ping the router at 192.168.1.1, but pinging other systems on my LAN subnet fail, as I expect and desire. Browsing with the built-in Caja Samba browser does not find my LAN Samba server.

Is there anything further to do to ensure this system is truly isolated?

Thanks.

Assign different IP subnet for VLAN network and add a new entry in route for the subnet.

I do not understand. I explicitly wrote that the port 4 VLAN is on subnet 192.168.40.x.

I asked for ways to test whether the VLAN was truly isolated, not how to configure.

To answer your question, ways to test whether the VLAN was truly isolated, I need to know why you want to use, providing different subnet or something else. Normally, VLAN traffic can be isolated in router, could be isolated in subnet.

Why? I thought I addressed that in the original post. A testing machine.

Okay, let's make this juicier. Suppose this is a Windows machine used to connect to a corporate VPN and network. I do not want corporate sys admins having any knowledge of my LAN, let alone potential access.

Or make this even more fun, to test malware infections. Malware is being designed more craftily and testing in a VM won't succeed with some malware, such as ransomware. Only way to test and learn is a physical machine connected to the web.

If VPN is terminated on corporate router and then the traffic is routed to your local router, it is impossible to hide your private LAN. Your private LAN is gone after your local router.

I understand that the routing table changes when connecting to a VPN. Yet in my example, the machine is already on a VLAN, which uses a different subnet than my LAN. I do not see how anybody on the VPN subnet sees the LAN subnet, which is different from the VLAN subnet.

Let's say there are two sides on your local router, one side connect to you local LANs and another side connect to corporate network.
Yes, you can use VLAN to isolate testing machine from LAN subnet. Any machine on LAN subnet can't see any packet generated from testing machine.
But if testing machine access Internet, VLAN is gone after your local router.

Are you saying that once the VLAN machine connects to the web that anybody on the web can access the LAN across the VLAN subnet? If yes, I do not understand that because the VLAN is not bridged to the LAN subnet.

No, LAN still can't see VLAN machine traffic.

Unless you set up a route (port forwarding, your machine/router gets owned) for the public to get into your LAN, there is no way for it to happen.

Okay, thanks. Back to the original question. Is there anything further to do to ensure this VLAN is truly isolated?