Partner, kids and guests, you cannot expect everyone to follow good security practices.
Heck, often you cannot even trust a lot of the software you use. So what do you do? Separate guest network? Separate network just for yourself?
VLANs. Pretty much everything supports them now other than the crappiest commercial gear.<p>I have:<p>A "front-door" network, which is the network behind my firewall. Anything internet facing is there, as well as monitoring tools (e.g. Snort). Things here can't talk back to more interior networks.<p>A "family" network. Generally untrusted, all the phones, iThings, IoT that I decide actually needs to phone home, kids laptops, etc. There's a guest WiFi that dovetails here.<p>A "work" network. Network for my wife and mine work laptops and other work specific resources.<p>A "service" network for all the backend stuff.<p>I have an OpenBSD firewall segregating things. The fileservers are VLAN attached so they have an interface on each network.
subnetting<p>its like putting up laneways in your network<p>its also possible to relay an internet connection from a primary router to a secondary router so you can have control over the traffic to and from the guest router<p>use an alternate DNS there are ones that filter certain content<p>you could also encrypt the network traffic