Suricata and Snort can help, but nothing is foolproof. And you may spend a lot of time clearing rules for legitimate activity. I recently had a new rule block me while trying to download software from a company, they use Akamai as a CDN to handle the bandwidth and file sizes. One week it worked fine, then next gets blocked. I’m guessing someone was spreading an attack by way of the Akamai CDN. This was an Emerging Threats rule (ET). So you are going to need to constantly chase these rules when something doesn’t work.
But as part of the puzzle, it will help.
As mentioned, segmenting networks with rules that prevent hopping from one to the other also help.
You could also do something like e2guardian and blanket block everything, then open only sites you need. This only works if you have a relatively small number of sites you need working. Might be OK for iot devices, but certainly not great for general wireless devices unless you really only want certain things working. Sorting through all the sites that a single web page might use can be a job, I think I have 10 for google/YouTube, and one local news station site had like 15 before I could get their videos to play.