Disclaimer: This content is the result of my having survived several emergencies of varying effect sizes. Most of these ideas are rules of thumb, and not canned answers. As in any emergency your best outcome will be if you keep calm, consider many options, and flow from plan to backup plan as required.
As always the most useful network configuration is the one that let's you use your available resources and that keeps you safe from attack. Every network will be configured differently. There are probably countably infinite network configurations that are equally safe.
Don't let the suggestions made here limit your options. Feel free to build your own router from an old computer or to spend thousands on an 'industry standard' router. Both approaches can work equally well and pay cost the same in the end, because all of this relies on hard work, accurate reports of attacks, and reconfiguration to prevent successful attacks. There is no getting around the hard work whether you do it yourself or pay someone else.
I want to particularly emphasize accurate reports of attacks. In particular, it is very necessary to have clear communication. If a trained computer scientist reports a problem, it behooves the hegemony to listen very carefully, especially if they have trouble believing the severity of the attack.
There is no substitute for a good, responsive systems administrator and a sufficient quantity of well-trained IT staff. so, if you are a manager, and your staff say that they are stretched too thin, you need to do something before you end up responsible for your own computer security.
There are just a couple of principles that are used to design these solutions:
Note, also that this network configuration was designed to make up for the security deficiencies of the network to which it was connected. Since each local network situation is unique, it would be unwise to copy this without careful knowledge of your local situation.
Even the creation of a wireless network on a secure subnet, without the permission of the local systems administrator can be a problem for everyone in the subnet. In my case, since I was hacked both at work and at home, I was responsible to try to communicate about the attacks and the potential problems on any network that I connected my machine to. Any user of an exploited machine is responsible for contributing to security measures.
You know you have stable network security if your users are generally happy and rarely complain about software failures. Please note that complaints about 'hardware' failures may actually be software failures, but it takes an expert to identify the difference between hardware and software failures. So, be suspicious that your security is inadequate if the number of reported hardware or software failures increases drastically.
Also note that attacks come in waves or episodes (just like many things in life). If things are relatively quite, then you should have some excess IT capacity. This is so that you can successfully manage an increase in illicit activity. It's similar to managing a financial budget. As they say, don't cut things close to the wire. (For the foreigners: 'down to the wire' refers to having too few resources to solve a problem.)
All of this comes down to clear communication and good management. Do your IT people complain about being understaffed? Do your users know who to report problems to? Do the people taking reported problems respect your users? Or do they write-off user complaints as 'crazy'? What about the problems that users see, but cannot replicate for the IT people? As I have experience just such targeted attacks, such attacks are imminently possible and an easy way to use social engineering to hide illicit activities from IT people.
As with all communication in a relatively stable system, everyone complains some, both users and IT. Big complaints and frequent complaints should be resolved as soon as possible, particularly if they effect multiple users. If an under-represented minority complains of being targeted, management should pay careful attention to the possibility of overt bias and discrimination that is carried out via illicit attacks.
If management suppresses complaints entirely, this is an incredibly bad sign about the health of the communication system.