Better yet, use your router's firewall AND turn on your router's "Threat Protection" to protect everybody in your household using wifi and your router. My router has "Safe Access" and "Threat Prevention," two different approaches to network security.
Safe Access is DNS- and IP-based. It uses integrated external databases (such as Google Safe Browsing) to identify domains and IP addresses associated with malware, phishing, botnets, command and control servers, social engineering, and other threats. Devices on the network that attempt connections to banned destinations are denied access.
Threat Prevention is signature-based and uses Deep Packet Inspection (DPI) to monitor incoming and outgoing traffic. Malicious packets are discovered in real-time and dropped automatically. You can enable it to alert you to Internet attacks and inappropriate user behaviors.
Safe Access and Threat Prevention do not conflict with each other. Both packages operate silently in the background.
I have a number of routers and a couple of them are arranged in a cascading subnet. One thing I learned the hard way: Do not enable advanced protection features on two routers in series. Only on the “root” one. If both are enabled expect lots of intermittent headaches... Blocking of legitimate activity but only when their learning algorithms feel like it.