That's an instant buzz kill for most wifi snatchers.
SSID broadcast off -> if you're not looking for it or know what to look for, good look.
(Change the SSID obviously when you turn it off so it's not known)
Mac address filter. If he spoofs it, it kicks that system offline, so you'll know rather quickly.
Random WPA2, takes forever to crack.
Last step - use non standard internal IP addresses. Obviously keep it in the 'unused' domain but you can have some fun with it.
It won't loop back, it'll work, and likely that they won't figure that out (Unless they read slashdot)
This requires you to also turn off DHCP and manually specify the IP address on your wifi devices connecting to it for it to work,
but that's pretty much as secure as it gets without going hardline.