Separate Network Using Second Router

Hi,
I have a Netgear Orbi RBR50 Mesh Network setup at home. This connects to my ISP Modem.

I would like a secondary network, completely isolated from the first, for working from home.

I cannot create VLAN on the Netgear Orbi.

I have purchased a Beryl AX. Is there anyway I can connect the WAN port of the Beryl to the LAN port of my Orbi and ensure that anything connected the the Beryl has no access to the remainder of the network?

I am guessing something like this would need to be set at the Orbi level but it’s not possible? Is there an alternative firewall or something I could setup on the Beryl please. Know very little about networking!

Thanks.

Since you don't want to the devices which connect to Beryl to access the network, why should you connect its WAN to the LAN of the Orbi?

To gain internet access?

Hi.

What you are looking for is a different subnet on your Beryl from the one on your Orbi.
By default, your Beryl should have a 192.168.8.1 subnet while your Orbi maybe something like 192.168.1.1
By default, your Beryl will therefore access the Internet through Orbi but devices connected to the Beryl won't see devices on your Orbi and vice versa.

Should you want to change subnet on your Beryl, have a look into "Private Network" under Network->LAN

Thank you for your response and explanation.

So it sounds like the devices will automatically be separated and that my secondary Beryl AX network will be completely isolated from the first meaning that devices on the Beryl AX cannot see the remainder of the network which is exactly what I want. Just checking I don’t need to setup any firewall rules or anything this is all automated? Thanks!

To prevent your Beryl's LAN access your main network (if this is what you want), set up a firewall rule in Beryl's Advanced settings.

Pls replace the correct LAN and WAN subnet.

image1120×653 26.5 KB

Thank you. So this will still provide internet access but block devices on the Beryl accessing any devices on the Orbi subnet?

Yes exactly. Just have a try.

That’s great. Thank you everyone for your help and support. I’m sure this post will be useful to others working from home and looking to create a separate network for work managed devices or for IOT devices etcetera!

You should know how this works in the basics. When you connect a device, the device will ask the network some basic information using a protocol called DHCP: What IP am i, what is the default gateway and what is the DNS server?

When that device then wants to connect to some other device it will check (in its routing table) where to sent a package. Generally either it is a device within the same network or its part of another network/the internet.

If it is part of another network/the internet the device will send all that to the default gateway it got using DHCP. That gateway should then figure out where to send it next.

Let's assume the Beryl AX is 192.168.8.1, your Netgear Orbi is 192.168.1.1.
When you connect your Beryl's wan-port to the lan-port of the Netgear Orbi, it will ask that basic info. The Orbi gives it ip 192.168.1.3, default gateway 192.168.1.1 and DNS 192.168.1.1.
When you connect your work PC to the lan-port of the Beryl, it will also ask that basic information. The Beryl gives it ip 192.168.8.6, default gateway 192.168.8.1 and DNS 192.168.8.1.

To the orbi, another device is also connected. Let's call it private-pc on 192.168.1.10.

Let's see if connecting the Beryl WAN-port to the Orbi's LAN-port works, using some test cases.

Test case #1:
If the work PC wants to access the internet(8.8.8.8), it will see that 8.8.8.8 is not part of the network 192.168.8.x it is connected to. So it will send that traffic to the default gateway to handle it. The default gateway is 192.168.8.1 (the Beryl).
The Beryl receives the traffic and looks for the best route to it. It's not part of any network it knows, so it will send it to its default gateway 192.168.1.1 (Orbi).
The Orbi receives the traffic and looks for the best route to it. It's not part of any network it knows, so it will send it to its default gateway, which will be the ISP modem/gateway of your ISP. Your ISP will continue doing all the routing and will actually reach 8.8.8.8.

Test case #2:
Now let's check what happens of the work PC tries to reach that private-pc.
If the work PC wants to access the private-pc (192.168.1.10), it will see that 192.168.1.10 is not part of the network 192.168.8.x it is connected to. So it will send that traffic to the default gateway to handle it. The default gateway is 192.168.8.1 (the Beryl).
The Beryl receives the traffic and looks for the best route to it. It's part of a network it knows. The beryl knows both the 192.168.1.x and 192.168.8.x network, so it will send it to 192.168.1.10.

That means you can reach that private-pc from that work-pc.

Test case #3:
Now let's try that the other way around. Can the private-pc reach the work-pc.
If the private PC wants to access the work-pc (192.168.8.6), it will see that 192.168.8.6 is not part of the network 192.168.1.x it is connected to. So it will send that traffic to the default gateway to handle it. The default gateway is 192.168.1.1 (the Orbi).
The Orbi receives the traffic and looks for the best route to it. It's not part of any network it knows, so it will send it to its default gateway, which will be the ISP modem/gateway of your ISP.
Because it is a private-ip, the ISP (or the Orbi) will drop the traffic.

The Orbi does not know the 192.168.8.x network exists, so it will not give that traffic to the Beryl. Therefore it can never reach the 192.168.8.x network.

Preventing the work-pc from reaching the private-pc in this situation is really simple: Use the firewall in the Beryl AX to block traffic going to anything in 192.168.1.x. That would prevent the work network from being able to reaching the private lan.