i would put the nas on its own vlan and setup an access account through a VPN. if you just want the 3 physical machines to have access then put the machines and nas on there own vlan. the machines would be allowed to access the Internet but they could not access any other systems files on the lan nor could the rest of the lan access theirs or the nas's. if you have cisco switches then you need to log in, go to enable, config t, then setup your vlans 1, 2, and possibly 3 depending on your setup. each vlan will be on its own ip scheme and/or their own subnet if thats how you want to set your topology.