you may want check out older used Cisco gear on ebay. Lot of the older ones have gigantic capabilities at salvage prices. This is simply because most people don't think of running enterprise gear at home...
The cheapest would be used Cisco ASA. Forigate steps it up to AV/antimalware protection, web filtering etc... and is fairly affordable. And if you can afford it Palo's are great but annual subscription will cost you. All of them do VPN
You can also create new Deny rule for particular program and only mark public network:
Also anytime you want to specify subnet in the rule you can do it by:
if your ip address is 192.168.0.x and subnet mask is 255.255.255.0