My 2 cents:
A capable router will accomplish the segregation you seek. Ditch that ISP provided router (If you can, some bundled services might depend on their gear being the gateway) and get a capable home router that provides the use of multiple subnets and access controls.
https://www.flashrouters.com/
flashrouters provide pre flashed routers (as the name implies) that are super capable of doing all sorts of networking kung-fu.
Personally I just put all of my networking/server lab stuff on VLAN 17, The rest of my home is on VLAN5. Everything connects to the same router (well switch that is connected to a router) which NATs for both VLANs. I have an ACL in place that states only my VPN VLAN can talk to VLAN17. you need to authenticate in order to be able to communicate to VLAN17. Outbound connections are allowed from VLAN17.
Now the major advantage in having a VPN capable router is that I can lab remotely. When I have down time at work I hop on my home network , power up my switches and routers and start configuring.