IIRC, I blocked everything below 53, everything above 443, and everything between 81 and 442 inclusive. The last one in particular blocks ports 137 138 139 which are used in windows networking and that stops somebody with a windows-compatible computer seeing other PCs on the internal LAN.
Yes and no. Port blocking is easily bypassed.... particularly if you've implemented it on a cheap firewall that doesn't do anything more than basic packet filtering.
The OP was talking about "lodgers", not kids here.... so you have to assume some lodgers will have more than a degree of technical competence.
The only way is to have a 2nd phone line installed and have another ADSL service running on that, and you put the "clients" wifi AP on that.
That won't protect you from legal troubles if you just used a simple shared password setup. You need a proper hotspot setup where each person is registered and you maintain the logs.... hence my Openzone suggestion, because maintaining logs in a legally admissible format is probably too much hassle for your average Joe.