What we really want to do is prevent file sharing activities (eg - Bittorrent) that can result in those extortion letters from lawyers.
I bought a router (Asus RT-AC58U) specifically for guests. So the router is connected to my home router, but has a different WIFI network. That means that Internet still goes through my home internet connection.
My first attempt was to permanently have the guest router connected to a VPN service. However, the problem is that Netflix blocks customers who are connecting through VPN, so I had to turn it off. Blocking Netflix would only encourage illegal activity.
My second attempt, which I think works well, is to restrict outgoing ports to very specific handful of ports. Bittorrent uses the higher port ranges for file sharing, so blocking those outgoing connections will prevent bittorrent. This isn't 100% bullet proof because bittorrent can run over any port. But any guest trying to use bittorrent would quickly realize that it's not working and would give up.
So in my router settings, I created a whitelist of ports that are allowed to go out. For my router, the settings are found under Firewall > Network Services Filter. Here's what I configured in my router.
Port 21:22 - TCP - FTP/SFTP. Theoretically people can download illegal stuff from FTP/SFTP, but you won't get a letter for this.
Port 25 - TCP - May be needed for sending e-mail (SMTP)
Port 53 - TCP/UDP - Needed for DNS (not sure if TCP is needed)
Port 80 - TCP - Needed for normal web browsing
Port 443 - TCP - Also needed for normal web browsing
Port 3544 - UDP - Needed for some business VPNs.
I'd be interested what other ports might be needed. So far, this seems to work well.