For malware/ad protection and domain blocking I'd suggest Pi hole. I've just set one up on my home Mac mini (which is partly Plex server, partly workstation) in a fresh Debian 9 virtual machine. Literally took 5 minutes!
Then you can hand out the IP address of your Pi hole as DNS from your router, or even use Pi hole as your DHCP server and turn off the one on your router completely.
Router wise I think nothing beats Ubiquiti's EdgeRouter (~ 90 US$ / 80€), but you'd probably want to have a bit of networking experience to configure it correctly. This thing would for instance let you keep your children's devices in it's own VLAN, with restricted time based access and fine grained access permissions based on firewall rules and DPI (deep packet inspection) categories for different network traffic.
The better "home" choice would probably be Ubiquiti's UniFi security gateway, although I only have experience with the UniFi Access Points and not with the router this product line. I hear it is almost on par with the EdgeRouter feature-wise, but can be configured through the UniFi controller web GUI. UniFi Access Points offer Captive Portal options as well.
If you've got any questions or need help setting up your networking gear, just ask. I'm happy to help.