[boringuser2]

I think this is generally barking up the wrong tree and addressing the wrong attack vectors for home wifi.

An actual over-engineered home wifi looks like this:

1. Use, at the very least, prosumer grade router access points. I use *sense and Aruba access points, but you don't need to get this serious.

2. Use heavy DNS filters. This will block a lot of malware by itself. Quad9 DNS is a good starting point.

3. Use a secure wifi password.

4. Don't enable upnp, etc.

5. Don't enable ssh or any kind of remote access.

6. Don't open any ports to the outside. This is the default ruleset for pretty much any firewall.

7. If you ever have guests who require wifi, segment these users on a guest wifi or vlan.

8. Reduce your reliance on wifi-powered devices. Favor zigbee smart home devices over wifi devices.

9. (Optional) segment your IoT devices on a vlan.

10. (Optional) use some kind of security package that includes layer 7 monitoring on your LAN.

11. (Optional) use some kind of security package that includes IPS/IDS.

[sneak]

Items 4-9 accomplish nothing. Your LAN is not a security perimeter. This ain’t token ring.

[boringuser2]

You work with reality as it is, not as you'd prefer it to be.

A home router is generally protected on the WAN side.

Your threat model is to secure connections originating from the LAN side, which is the only way a threat actor can establish a connection into a default deny network.

[sneak]

Connections into hosts on your LAN doesn’t gain an attacker anything, otherwise it would be unsafe to connect your laptop or phone to hotel, coffee shop, or airport wifi, and it’s not.