Ideal budget is $200 but can go to $500. I'm not married to OpenWRT either but this is the OpenWRT forum so I assume that's what people will recommend.
Needs:
Traffic shaping of 250/10 Mbps cable line (Zoom and T-mobile wifi calling should be prioritized)
STABILITY
Guest network with isolation from main network (guests can't see main network traffic)
Wifi
WPA2
Likely to be supported for 3 years
5 devices on wifi
Tolerable wifi on 3 floors (wifi on main floor). This has never been a 'problem' in 15 years of consumer wifi.
Bonus:
Spouse-proof (unplugging and replugging a single device should be all the troubleshooting needed)
SQM CAKE (not fq_codel)
cases for all, no bare boards
Single device
Can firewall my work laptop from the rest of network (can't see other devices), even on wired connection
WPA3 allowed but WPA2 compatible
Likely to be supported for 5 years
10 devices on wifi with 5+ 'idle' at once (Roku etc)
Goes without saying:
Port forwarding
Top choice right now is Netgear R7800. Also looking at:
SBC for routing, any dumb AP and dumb switch. Ubiquiti for wifi and don't even involve OpenWRT for wifi?
I've been really happy with my new setup as of a month ago: RPi 4 with a USB Ethernet dongle for routing and a TP-Link RE603x in dumb AP mode. Separating the two concerns freed me to locate the AP in my home for the best coverage while the RPi lives downstairs with the rest of my networking and server equipment. Total cash outlay for both was only ~$130 and it'll shape a connection like yours without even breaking a sweat. Heck, at those speeds you could skip the USB dongle and put that money towards a managed switch for a "router-on-a-stick" setup without sacrificing any performance.
I think a turris omnia would fit most of your desired pretty much out of the box (using the guest network feature to isolate the work laptop). Mind you, that is with using their own OpenWrt derivative, if you switch this over to OpenWrt proper you will need to configure a number of things yourself.
I am using an omnia myself, albeit only on a 100/40 VDSL-link (but my testing indicated it to be able to traffic shape up to 500/500) and only in a single-floor ~10 by 10 m apartment where wiki coverage is okay not great (thick walls).
The one challenge with TP-Link's consumer access points (at least the RE603x/RE605 which are Broadcom-based and thus not likely to get OpenWRT support in this lifetime) is that they don't support multiple SSIDs. It's really unfortunate because they're a super convenient form factor - almost as convenient as a PoE-powered in-wall AP. I'd love to hear from others what devices they're using in this role.
R7800 has no problem shaping 250Mbps with cake and you have the choice to use @ACwifidude or my build with fq_codel NSS HW acceleration, or you can build your own from our repo.
R7800 with NSS can shape 900Mbps with 3% cpu load on nss_fq_codel. R7800 also has damn good wifi. At 700Mbps 5G wifi load is only around 50%.
For me it is one of the best all around units. From the reports regarding sqm RT3200 might be good unit if only routing is important, but my experience with wifi on the MT devices isn't good.
The R7800 is pretty much the only router that can handle my wifi requirements. And I have about 30 different routers to choose from, MT, BRCM, QCA:-)
RT3200. Have three myself and tons of positive reports on this forum. Can handle SQM at 1Gbit with normal packet sizes apparently and has latest WiFi tech.