Secondary sites are not gateways thus the solution you've described is not valid and won't work. Secondary sites are for clients at remote locations to address bandwidth issues. Clients must always be able to communicate with a management point that directly belongs to the primary site.
For a segregated network, use an additional site system hosting the MP, DP, and SUP roles and placed in that screened network. Ensure your boundaries and boundary groups properly map the clients in the screened network to this additional site system. Make sure to enable MP affinity on the hierarchy settings of the site also.