How to segment home network for security?

For truly segmenting a network, home or business, you will want networking hardware that supports VLANs. Although the "Guest Networking" feature of Apple routers is a form of a VLAN implementation, it is a very simple one.

That being said, if you are serious about this type of networking security, you will need to change out (at least, your "main" router) to a non-Apple-based solution that supports VLAN implementation.

Tesserax has given you the right way..

For a home network that is rather unnecessary.

I would like to segment my network so that devices with questionable security (IP web cams, Nest thermostat etc) are separate from my primary devices (desktops/laptops/iOS devices).

Actually web cams are absolutely fine security wise. Same with thermostat.. the issue is remote access to them.

As long as you have remote access then you are by definition opening your network to the outside world.

There are a couple of easy solutions.

1. For remote access use vpn.

You can now easily buy vpn routers and use that in place of the airport.. which will still work fine except in bridge rather than router mode. Almost no change to the rest of the network.

But there are multiple ways to do this.. you can also put a second router behind the Airport.. so totally leave the airport and current network.

Put a vpn router plugged into the airport.. and vpn through the airport (which can be tricky as the airports can make vpn access difficult)

Put the cameras and thermostat on this second router and then you can still access it on the local network if you have to.. but you can access remotely via the vpn. You will not see these items at all on your local network.

2. You can just use a second router.. and double NAT.

Anything at all will do this job .. a second hand Extreme.. Gen5 is better IMHO than a new Express.. but certainly you could press your current express into the role.

Put the cameras behind the second router.. Use DMZ to forward the ports to the second router for remote access.. in apple terms this is called..

Enable default host.. put the IP of the second Airport in there.. fix it statically.. and there you go..

Access to this from the main network may not even be possible.. you will need to swap wireless on a computer if you ever need info from it.

This is not as good as vpn method.. but in terms of home network it is going to work very well.. the chances of being hacked in this situation is minimised and the chances of hackers doing damage is also minimal.. Just don't use admin or password .. for security. 😁

FWIW ... I use a small-business Cisco router, RV180, as my "main" router for my home. This is one of many routers that offers VLAN support. Hint: Look for routers / gateways / switches that implement the 802.1q standard. iEven though it has this capability, I don't actually have it implemented as my current networking needs doesn't require it ... but I have "tinkered" with it and have worked in IT where it was common.

Implementing VLANs does take a bit of networking knowledge, but that knowledge can be gained without too much effort. If your security goals do require you to go this path, I would suggest that you start by looking at some of the VLAN material on the Internet so that you can get an idea on what you will be getting into. Here's one, as an example, that shouldn't be too boring of a read: http://serverfault.com/questions/188350/how-do-vlans-work

Before you know it, you will be helping us answer VLAN questions here at the Apple Support Communities!