ER605 Standalone network segregation
Hello.
I work from home, and in the fine print, I apparently agreed that my employer can feel free to browse my home network at will. I don't think they are actually doing anything like that, but they have the ability to and I signed a piece of paper giving them permission to.
As a temporary stopgap, their Cisco VPN router is currently plugged into a Raspberry Pi running OpenWRT and it is sharing its wi-fi as if it is the internet. When I plug my laptop into the pi's ethernet port, I cannot ping, ssh, ftp, etc any computer on my home network. As far as I can tell with any network scanners I have played with, anything plugged into that port thinks that it is the only computer on the network, but it has internet access. So when I plug their VPN router in, it should see the same. While this works, it is a Raspberry Pi using it's wifi... Applications and web browsing work OK, but anything with bandwidth demands grinds and stutters and... just... no... It's a stop-gap solution.
I purchased the tp-link ER605 in hopes of solving for this, but no matter how much I play with it, I cannot recreate what the pi is doing without even trying.
I hope to have port 2 set up on it's own vlan 10.8.8.x while Port 3-5 are my home network and wifi routers with the home network handing out 10.0.0.x IPs.
AP -> port 1
Work Router -> port 2
Empty (for now) -> port 3
Empty (for now) -> port 4
Home router -> port 5
I have the ER605 handing out Ips to a vlan on port 2, but cannot seem to stop traffic between that vlan and my home network.
To simplify things and eliminate my home network being the issue I currently have laptops plugged into port 2 and 5 and nothing else plugged in.
The laptop on port 2 gets an IP 10.8.8.199
The laptop on port 5 gets an IP 192.168.0.123
I can ping and ssh into 192.168.0.123 from 10.8.8.199.
How do I stop this?
Is there a way to segregate the 10.8.8.x network from everything but the wan port? It needs internet, and nothing more. I don't need someone from my work controlling my IP security cams, printing on my 3D Printer, or browsing my personal NAS, especially that one folder...
I need my work router to think it is the only reason I have internet and that there is nothing else on my network. The Pi is currently doing this, but it is painful to join a video call.
I have not used the Omada software, and hope to avoid using it if possible. Is there a rule or a setting I am missing in the standalone web app?