Normally you can go to a URL like http://192.168.0.1/ to access the login page to your router. Sure, I can create a strong long password, but it doesn’t feel secure enough to run untrusted network-connected VMs having access to this page at all. It would be better for only explicit VMs to be able to connect to this IP and port 80/443/22 at all.
Would it be a good idea to explicitly block this IP in all VM’s firewall settings, or is there a better way? Maybe VLAN tags?
Would it be a good idea to explicitly block this IP in all VM’s firewall settings, or is there a better way?
In sys-firewall /rw/config/qubes-firewall-user-script create rules which deny by default, and explicitly allow (whitelist) the IP addresses which you want to access the router’s IP address on a particular TCP port. Try chain custom-forward.
P.S. Do this in sys-firewall’s DVM template to make it persistent.
@qubist is right, and a GUI option is coming. Until then, you might be interested in these:
https://forum.qubes-os.org/t/qubes-firewall-manager/2787
https://forum.qubes-os.org/t/restricting-a-qube-to-selected-websites/2522
I don’t think your Qubes VM’s are the ones you should fear the most 
But yes, you can create firewall rules for all of xour VMs, and filter out whatever you like to - or at least what you can implement with Qubes Firewall.
However imagine, your other devices in your home network:
So I would suggest a much more device independent approach instead - but that’s surely nothing to do with Qubes OS, but a more general Network Security issue/question
Ideally, one can treat their home network like a public WiFi for risk assessment.