try to set up wifi aps instead of repeaters.
use the maximum of 63 chars long password (not supported at all vendors)
small raspberry pi with linux and installOpenLDAP for wired devices FreeRadius for wireless devices.
put all wifi clients into vlans, e.g.
vlan10 for family = radius certificate - internet & LAN
vlan20 for guests = vouchers - internet only
Install a small wifi card into your pfsense and turn on
hotspot with voucher system for guests, can also be a
give all clients a static IP address in the entire network
and then narrow down the DHCP address space to them,
that means no other free dchp addresses will be able to given out.
Setting up snort and/or suricata on pfsense and OSSec
on any other devices, you may need another small server
but also another security line.
Turning on wireshark and sniff on your wifi for a while
perhaps on an rapi or notebook or your laptop at the weekend. Watch out any other IPs then your own ones.
try narrow down the entire signal strength of your wifi
so it is enough for you but only in the near area of you
house or apartment. Try to implement WPA3 where ever
you can do it.
Alternatively you may be also able to get hands on
UBNT wifi aps and then you may get also a small
edge router from them and install there the radius