Shameless self-plug on my Wiki:
This is a work in progress for the IPv6 network stack (have to deal with some issues), but should give anyone interested a few indications on how to setup the network. Depending on one’s threat model, one can block all outgoing traffic coming from the UNTRUSTED network. I tried not to completely block the untrusted network’s access to the internet, as you may want things like software updates (port 80 and 443). Depending on what untrusted devices you get, you may want to block them completely, but that’s up to the individual. That is how my network is set up, because I don’t own IoT devices.
Any suggestion for improvements is welcome.
Also, I’m at a point where I don’t really trust most computers and I try to avoid home automation. I prefer to get up and press a light switch instead of using some wireless remote controls. Also a fan of wiring everything up, but I also tend towards minimalism (not a minimalist per se though).