TL;DR: Split your needs into separate devices, and look for devices with OpenWRT support (
here, under Special user views, Ideal for OpenWRT).
I've had a somewhat similar situation on my hands for over a year now, and I've been looking at the alternatives. I'd prefer affordable off-the-shelf devices running some derivative of Linux, but all the existing options are either expensive (> 250€) or require too many compromises, so I've resigned to build my own. In my case:
- Most of the time, I am physically over 1000 km away from the installation
- Internet connection is through a 4G/LTE modem, and I want a good firewall with a fail2ban or ban-if-trying-certain-ports rules
- A couple of devices streaming TV off internet directly
- A few CCTV cameras
- A couple of local devices with access to CCTV cameras and the internet
- A local server for intrafamily document sharing
- Guest devices with internet access
Because of 1, I do need remote access myself. Using a fixed IP address increases the monthly cost quite a bit, and I'd rather avoid that; instead, I want to use an actual modem. USB dongles like ZTE823 (that I now use) are typically not bridging, but have a small Linux installation, and a NAT. Some routers, like Asus RT-AC51U, do support publishing the router IP address to dyndns-like services, but that won't work with non-bridging dongles.
Because of 2 (and partially 1), I want the router with the firewall to have enough memory and CPU oomph to run my own rules, and allow me to connect to it and the network remotely. (Specifically, I haven't seen any router, even OpenWRT, have a good banning module, so I'm resigned to do my own. I run fail2ban on this particular machine, and it keeps a lot of the attacks at bay; I'd love to have it on a router.) If it has half a gigabyte of RAM, I can run vanilla fail2ban with custom port knock banning rules.
Because of 3, 4, 5, I'd also like to subdivide the local wired networks into three subsets, but this is semi-optional.
Because of 6, I'd like to have a small Linux SMB with a couple of hundred gigabytes of storage, for exchanging family stuff that people are not willing to send over email; my family members aren't savvy enough to be trusted to use encryption. (If they were, this would not be an issue at all.) Again, this is optional, but from the start I've known this would be completely up to me to set up and maintain. I only included it in this list to point out how complicated this setup has already evolved into.
To solve this, I've decided to split the router into two.
First router is an Odroid HC1 or La Frite SBC, with an USB WWAN/miniPCIe adaptor and a Huawei ME909s-120 4G/LTE modem appropriate for my region. I like the HC1 hardware more (octacore big.little architecture, Samsung Exynos 5422), but have a La Frite (Amlogic AML-S508X) as a backup if that falls through. I intend to run straight vanilla upstream kernels, not vendor kernels. I would have used OpenWRT, if I'd found suitable hardware within my tiny budget.
Second router handles the wireless connections, and is directly connected to the first router, and the local wired subnets. This is much simpler device. For now, I'm using an Asus RT-AC51U running OpenWRT, although it has only 100Mbit/s Ethernet, and it might lack 5 GHz support (I haven't checked 18.06.4, if it includes the MT7610EN support yet). Another option is Mikrotik hAP ac running OpenWRT, which has triple-chain dual-band WiFi and five GbE ports.
The idea is that the second router manages the local wireless network, and the weak firewall/routing between the local wired network and wireless network (networks, I want both 5 GHz and 2.4 GHz, because reasons). The firewall here is just to stop accidents, really.
The first router is the lynchpin. I've mentioned here I have worked on a carrier board for a Teensy 3.2 to be connected to the HC1 (via 1.8V UART), to hold a small display and a few buttons, for non-technical users to see whether the network is okay or not. Plus voltage and power measuring and shutdown control, as mains voltage losses and hickups are not rare there, and I don't want to spring for an UPS. I already have a WD Green 240G SSD for the HC1, and I think I'll just setup Apache or Nginx on it to provide my minimal local server needs too. I'm waiting for my 2.8" IPS display and gesture sensors for arrive, before I commit to the "final" version of the carrier board. (I'm working on a variant of the Samsung serial driver that allows multiplexing the serial terminal with application data (essentially exposing two or more serial device nodes for the one hardware port, with kernel separating and escaping the data streams properly to keep them separate), so that I can use the display for a simple boot terminal if I want, or connect the Teensy via the USB connector to another computer for full serial terminal access, but I'll have to see if I have the mental werewithal to finish that and try and push that upstream.)
Splitting the functionality into separate parts meant I don't need to look at >$250 USD hardware, and can upgrade parts piecewise. If something breaks, partial operation can easily be restored. Right now, that network uses ZTE MF832 and Asus RT-AC51U, which works, but isn't that secure, and lacks the features I want -- but it is usable.