Isolated network for devices

Hi, Apologies in advance is this question is too noobish.
I have the GL.iNet GL-SFT1200.
~# cat /etc/glversion
4.3.17
Below diagram is what I want to achieve:

I want to connect my glinet router to the main Rogers ISP router. The devices on the glinet router (iot devices, linux server, backup phone) should not be able to access the devices on the rogers ISP router (personal pc, personal phone, game console).
The devices under the ISPs router are with IPs 10.0.0.xxx and under glinet they are 192.168.8.xxx
So basically, I need to ensure none of my 192.168.8.xxx devices are able to acess the 10.0.0.xxx devices.

I think I need to set up VLANs? But I have no idea how do i go about doing that in luci or even the terminal.
Can someone please point me in the right direction?

The GL-iNet Router is nit able to configure the routes on the Rogers router. The GL-iNet Router has one or more WAN and one or more (W)LAN connections. Everything from (W)LAN should be routed to WAN.
If it is on WAN direct or behind another router (double NAT) is not an topic for the GL-iNet router.

Put the WAN of your GL-iNet router to Guest or DMZ of your Rogers router is the only general advice. Bur we can't say how this will be routed, because this is out of the GL-iNet configuration.

1 Like

Could I set up firewall rules?
Glient itself is acting like a repeater and devices on glinet are 192.168.1.xxx IP range.
Devices on glinet are connected via wan.

Devices on the rogers are of 10.0.0.xxx range.

On the glinet, will setting up firewall rule to NOT be able to access 10.0.0.xxx IPs work?
IF yes, what would those rules look like syntax wise?

Of course.

If your GL.iNet router is connected to 10.0.0.1 as gateway and you are blocking 10.0.0.0/24, you can't access this network and the internet behind.
So you need to make an allow rule for the gateway first, then block the rest network.
And every rule behind will be disabled.

In my opinion you are trying to outsmart how networks are working, without understanding it.
This is hard to support, until now the whole idea make no sense.

1 Like

I agree that I am trying to do something without fully understanding it.
I am trying to learn and I thank you for your patience in answering the best you can to my haphazard thoughts.

About the idea behind this entire thing -- put simply, I don't want my IOT devices to "see" my main devices. Why: just being paranoid. A Chinese made (aliexpress) desktop stock ticker, smart plugs from tplink, a burner phone with a burner sim card. I wish to isolate these devices so as to they don't see my main devices and compartmentalising.
This is the rough idea. Unfortunately, the rogers ISP router does not have a "guest wifi" mode which would've made going through all these hoops moot.

In fact, isolating IoT is a topic. In future maybe an IoT network is as important as a guest network... Could be set as request for the GL.iNet team.

Still, the GL.iNet router securing the LAN side. How should it take care of the WAN side?

At first create a VLAN for IoT. Tan make a firewall rule: Deny everything.
After that, allow the communication to your infrastructure. And at last open the communication to the IoT services.

But this is more a OpenWrt topic.
And when you switched to OpenWrt, and understood how to build a IoT VLAN, then you could get rid of the roger router. Else replace it with a GL.iNet router, or set it to dumb bridge mode and connect all devices to your GL.iNet router.
Even if you need one as range extender, use a second GL.iNet router. Or maybe another OpenWrt supported.