Network Switches
It's a wifi world, it really is but I've just figured out that you really need to go back to basics and get a switch. Why? It's called the "Internet of Things" (IOT for short). It's where every thing has a wifi interface in it and it all lives on the same network. Remember a while back when there was a gigantic baby monitor hack? Imagine you buy an appliance and it has full access to the internet but the people who made it weren't really computer security experts and left some gaping holes in it. Once that device is hacked, depending on the Operating System or the Operating System kernel your whole network could be compromised.
So a decent managed network switch these days has the ability to do 801.1q which allows you to segregate your networks through something called a virtual Lan (VLAN). Below is a TP-Link SG1016DE_V2 switch I got for about $70
Here's how it is done with pfSense and your switch (using my TP-Link SG1016DE_V2 as an example).
First tag the ports. My firewall is plugged into port 2 (most will probably plug into port 1, port 2 is on top) so you tag port 2 and untag the ports you want on your VLAN. Under VLAN ID type 10 or 20 or whatever number you want to use. You have to make sure you keep your tagging consistent though. So if you look at the bottom of the pic below I have tagged port 2 for both VLAN 10 and 20 and untagged port 16 for VLAN 10 and ports 3, 4, and 15 for VLAN 20. (This just happens to be the way I plugged stuff in and works best for my wire management).
Then go to the PVID settings page. Set port 16 for VLAN 10 and ports 3, 4, and 15 for VLAN 20.
Then in pfSense make two new interfaces, VLAN 10 and 20 under Interfaces > Interface Assignments.
Then (I'm using VLAN 20 as an example) enable the interface and set the address for 192.168.20.1 20 for VLAN 20, 10 for VLAN 10
Finally set the DHCP server to give out DHCP addresses. The only configuration not depicted here is the gateway setting (192.168.20.1)
And that should about do it. Plug into port 16 and you'll pull an address from 192.168.10.x range. Plug into 3, 4, 15 and you'll pull from 192.168.20.x range.
Folks, the challenges with computer security are not just software. Sometimes improved security involves the physical connection to the device (along with segregation and firewalling).
I'm aware this is beyond the scope of most casual computer users abilities but hey.......I'm for sale.