You appear to have encountered a growing pain only expanding, medium-sized businesses ever see: diverging security policies in overlapping domains. Addressing this adequately normally depends on compliance requirements, but since you aren’t running a business, the answer depends on failure modes you’re willing to tolerate (and those you aren’t). That said, I offer some recommendations based on what I’ve seen work in corporate environments.

First, establish security domains, which are essentially policy scopes with which the network should align. Doing this depends on what you value, and security domains for your environment might be Appliances (devices that cooperate and are centrally managed), Infrastructure (power, water, heat, and so on; again, things that can cooperate but take priority over other household devices), DMZ (isolated Internet access with device cooperation prohibited), Internal (a trusted domain containing your personal computers) and Internet. It may also be reasonable to have an isolated Vendor domain, for embedded devices that connect to the cloud (security cameras, smart TVs, etc.) but still need to cooperate locally.

Defining security domains in this way, the goal is not to eliminate attack vectors (magical thinking) but to constrain them so they can be well understood, preferably without introducing any more complexity than is necessary.

Second, establish a central point of control: a firewall. Every layer-3 interface of the firewall should reflect a security domain, which may consist of multiple subnets (VLANs) attached to a router. Doing this ensures you need only configure rules for interaction between security domains, letting switches (or additional routers) do the rest. That every firewall rule must be meticulously crafted is an ugly part of making this work, but if you want to know exactly what’s allowed to get to where, there will be no mystery.

For a domain that doesn’t need to interact with the others (a test network, say) it doesn’t need to be represented on the firewall as it can remain isolated. This is likely a good idea for your Infrastructure devices, which can remain on a separate VLAN with static IPs, and can be managed by connecting your laptop to a port on that VLAN. For why this is a good idea, read up on some of the SCADA hacks that have been in the news. This level of isolation didn’t stop Stuxnet, but that was another level of attack entirely.

Once you have security domains and a way to control them, the rest is endpoint management. Monitor your network traffic with an IDS, keep abreast of software updates in your computers and appliances, be weary of untrusted USB drives and e-mail attachments, etc. You can do these things today, without a complex network.

To the question of hardware, I would use a Cisco ASA 5506-X for the firewall. I’m biased because I work with ASAs often, but the 5506-X is (somewhat) affordable and has every feature you’ll ever need (and then some). For home routers, anything that supports static routes (or a dynamic protocol if you really start to grow 🙂 ) and pushes the right bandwidth will do. For switches, anything that supports VLANs and the right bandwidth are fine.

I hope this helps. Regardless, good luck in finding a good arrangement for your extraordinarily large home network! 😀