Orbi BRKE963 - How to set and manage firewall rules

Netgear's Orbi routers do not include sophisticated firewall capabilities.  There is an optional (subscription, i.e. "paid") feature called Armor that you might explore. (Having never enabled Armor - because it is "paid" - I have no idea what it can and cannot do.)

The base product has an Advanced feature called Block Services.which deals with the specific situation mentioned (allow LAN access but deny internet access to a specific device or devices).

It is probably relevant to point out that the Orbi product does not support VLANs, which are often used to separate devices into separate network subsets and control communication between them.  The internal LAN is one IP subnet, which means an device can connect to any other device. (With the exception of the Guest WiFi network, which allows access only to the internet).

Hi CrimpOn,

Many thanks for your reply. A bit odd that such a high-end product doesn't have these features and even asks for an additional subscription.

That said - You mentioned VLAN's are not an option. However, there is a VLAN section available in the advanced settings? I was actually planning on using VLAN's to try and reach some of the security goals.

I also have some managed switches in the network for that purpose.

The VLAN feature of Orbi routers is (in my mind) a bit misleading.  As the User Manual points out (on page 92)

 https://www.downloads.netgear.com/files/GDC/RBKE963/RBRE960_RBSE960_UM_EN.pdfhttps://www.downloads.netgear.com/files/GDC/RBKE963/RBRE960_RBSE960_UM_EN.pdf 

The intended use is to support IPTV for Internet Service Providers who require it.  What happens is that a port defined this way does not employ the usual Network Address Translation (NAT).

The Orbi router LAN ports do not recognize VLAN tagging, which is an essential part of a VLAN implementation.

As to what features one should expect of a consumer WiFi router (even at this price point), that's far beyond me.