I am using EVE-NG in VMWare Workstation Pro to simulate a simple network. The VM is set to use NAT. I have pnet1 set to 10.0.0.1 /16, and all traffic is routed from this network to pnet0 (management cloud interface) to allow internet access to the network. I have a simple network configured, and all devices can ping the public internet. However, they can also ping my personal router, and any devices on my personal network. Is there a way for devices in my lab to connect to the internet, but not have access to my personal network? Would I need 2 NICs for this to work?

I've included some information that might be useful. I only included lines I edited. The router is a fresh install with the only changes made listed here.

/etc/network/interfaces
# The primary network interface
iface eth0 inet manual
auto pnet0
iface pnet0 inet dhcp
    pre-up ip link set dev eth0 up
    bridge_ports eth0 
    bridge_stp off

# Cloud devices
iface eth1 inet manual
auto pnet1
iface pnet1 inet static
    bridge_ports eth1
    bridge_stp off
    address 10.0.0.1
    netmask 255.255.255.0

iptables -L -nv -t nat
    Chain POSTROUTING (policy ACCEPT 49 packets, 2956 bytes)
pkts    bytes    target                 prot    opt    in    out        source             destination
     0          0    MASQUERADE   all      --       *    pnet0    10.0.0.0/24      0.0.0.0/0

Router Configuration
ip dhcp excluded-address 172.168.0.1
ip dhcp pool 1
    network 172.168.0.0 255.255.0.0
    default-router 172.168.0.1
    dns-server 172.168.0.1

interface Ethernet0/0
    ip address 10.0.0.2 255.255.0.0
    ip nat outside
    ip virtual-reassembly in
    duplex auto

interface Ethernet0/1
    ip address 172.168.0.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly in
    duplex auto

ip dns server
ip nat inside source list 100 interface Ethernet0/0 overload
ip route 0.0.0.0 0.0.0.0 10.0.0.1

access-list 100 permit ip 172.168.0.0 0.0.255.255 any

Topology