Buy a firewall that has mobile vpn. Block everything. Slowly add rules unblocking only the things you need.

You could do anything within terms of service. Most medium sized businesses operate with half this bandwidth.

You would probably want three vlans. One VLAN for resources (printing and servers), a second VLAN as the standard data VLAN, and a third VLAN for Kid Data. Uplinks between network devices should be untagged, hosts should be tagged for their appropriate vlan. At the core you these three VLANs should be untagged for the ports going to resources (printing and servers) and the internet… It’s best practice to not use VLAN 1… but in your situation the network is probably not a target of threat actors. The WiFi networks can be added to the main data vlan. If you need the SSIDs separated, the. Make a fourth VLAN for the secondary SSID. These VLANs just need to cross over to whatever resources they need. This can be done with routing or just simple vlan tags on your L3 device…

I bet a museum would take it… if they won’t now they will eventually!

I do this with a mesh setup and it works fine. Everything else is connected to a different wap. I used to buy WiFi dongles for my desktop but they always go bad after a couple years (even the pci WiFi cards). A quality brand mesh with Ethernet ports work better and longer than a WiFi dongle. I have even had good experience streaming steam games from the desktop to a steam deck, which was also connected to the mesh devices.

When renting you don’t always have luxury of being able to run cable. You have to get a bit more creative.

Speed tests are inaccurate…