You are on the right path. At my facility the sACN comes out of my console and goes into a switch that distributes it throughout the main room. It is isolated at the moment. The Max remote goes into the IT guys network facility wide with a dedicated IP range for all of our production / technical gear. I have two options. Option one is to plug into the technical network directly and then I can use MPC as a slave to my Compact, while letting the Compact still send out sACN. Option two is, that the IT guys have created a "virtual" machine. I can plug into any regular Ethernet jack (or remote in from home) and use this "virtual" machine as an MPC slave, again controlling the compact that is sending out sACN. The "virtual" machine is "on" both networks via some IT VLAN tagging. We are in the process of working out a solution that will allow me to tie directly to the sACN network without having to "slave" a machine, but that is long term.
On the MAX remote side. The IT guys have again used their brain power and some VLAN tagging to tie the production / technical network to a dedicated SSID that is hidden and password protected to allow us to use the remotes (or our laptops on wifi). Our facility "hot spots / access points" are hosting several different SSID's, so again, I can go anywhere and still get to the console.
As a side note, we usually only use this as focus assists and general work / programming. In live situations, I too, like to be plugged in. One thing I have learned. Treat your IT guys nice. Work with them, explain what you'd like to do and ask for their help. I also have some switches with "ports 1-8" to do whatever, but when you work with them, they will hopefully open it up to some VPN connections and VLAN tags that will allow you to do way more and be more secure, than only switch to switch. Also, we don't have an internet connection on the Technical / production equipment side. This helps keep things from getting messed up, or updated accidentally causing bigger problems. In our situation, we asked IT to not allow the access, since we could update things with USB drives or laptops when plugged into regular jacks under our control. Just a starting point for us, we might change that later, but it has been working wonderfully for now.
In regards to only one NIC card (like in a laptop), we found out that when we VLAN tagged a PC, MPC would not work on the VLAN tag side, it had to be on the "non-tagged" side. Maybe @Martin_Controller, can confirm this. In our situation IT wanted to be on the "normal" side and the technical / production on the tagged. We have not had a chance to try it the other way. However, it sounds like you are using a USB to network adapter. So that might not be an issue for you.
Sorry for this being long. Just wanted to let you know, what we've learned and how we are setup. Hope this helps.