Decent budget router for 500 MBit/s up/down sqm?

I’m planning a comprehensive upgrade of my home network and would appreciate expert guidance on configuring OpenWRT with my current and potential hardware.

Current ISP Setup

ISP & Connection Details

• Location: Canada

• Current Speed: 0.5 Gbps up/down (considering in the future 1 Gbps up/down upgrade)

• ONT: Nokia ONT XS-010X-Q (FTTH SFU)

  • XGS-PON (10G Up/Down) – ITU-T G.9807.1 compliant
  • AES-128 Encryption, FEC, SC/APC connector
  • 1× RJ-45 LAN (100M/1G/2.5G/5G/10G Base-T, auto-negotiation)
  • IGMP v2/v3 snooping for multicast traffic

• Router/Modem: Nokia WiFi Beacon 6 Mesh

PPPoE & VLAN Requirements for Third-Party Routers

• PPPoE Credentials (username & password from ISP)
• VLAN ID: 40 (mandatory for PPPoE)
• MTU: 1492
• Router Requirement: Must support **VLAN tagging for PPPo

Desired Network Features and Considerations

1. Performance & Optimization

• DNS: Unbound, AdGuard or dnsmasq with caching, DNSSEC, and optional Pi-hole.
• Routing: Fast Forwarding, TCP tuning (window size, TCP Fast Open).
• SQM: Best SQM method for multi-VLAN setup or wan setup (Cake vs fq_codel vs HTB).
• Wi-Fi: Optimized SSIDs per VLAN, band steering, and channel selection

2. Security & Isolation

• VLANs:
  1. Gaming (low-latency, high-priority traffic)
  2. Work/General Devices (PCs, MacBooks, iPads)
  3. IoT & Streaming (TV, Smart Devices)
• Firewall: nftables/iptables for VLAN isolation.
• VPN: WireGuard for remote access.
• Intrusion Detection: Snort/Suricata for real-time threat monitoring.

3. Additional Considerations

• Hardware Acceleration: NAT offloading, CPU optimization.
• Monitoring: Real-time bandwidth & latency tracking (nload, Grafana).
• Failover: Dual-WAN/load balancing recommendations.

4. Hardware Options:

   • Considering routers such as:

     • NanoPC-T6
     • NanoPI R6S
     • GL.iNet GL-MT3000/MT6000
     • Netgear R7800
     • Banana Pi BPI-R3/R4
     • Xiaomi Redmi AX6000
     • Cudy WR3000 AX3000

   • Considering switch such as:

     • TBD

   • Considering AP such as:

     • TBD

   • Open to other recommendations, including component-based network setups versus an all-in-one solution.

Questions for the Community

• Network Segmentation:
  What strategies or configurations (e.g., VLANs, firewall rules) would you suggest to ensure that if one user’s device is compromised, the others remain protected?

• Additional Suggestions:
  Are there any additional best practices or hardware considerations I should keep in mind when planning this upgrade?

Drop the r7800, it's a well supported device, but it's showing its age (500 MBit/s without sqm are possible (but that's close to its max), with sqm you drop down under 200 MBit/s).

The gl-mt6000 should meet your requirements.

Do you know how I can connect my fiber optic cable to the router since I would need to return my ISP ONT.

That is practically impossible unless they give you sfp module for their network wavelength. Or very rarely they will tell 3rd party connection equipment that can be used.

Go with MT6000 out of your list.

And if you were to get that module, you would most likely need a router with SFP+, realistically that probably means the BPI R4.

Still not guaranteed to work, GPON can be weird

There is no need for SFP+ module because internet speeds wouldn't go above 1 Gb/s as OP said, so just a regular sfp module would be a enough.
And its not really that hard to find a compatible sfp module, you need to do some research on what OLT and etc. If you are using GPON, this might help https://hack-gpon.org/
As per your request @kesh , I think Banana PI BPI-R3 would be a good choice in addition to having sfp port if you ever want to directly connect optic cable to it.

If you are in EU or US it is very likely your provider indicates compatible modules and technical parameters. In reality I dont see how lowest function PON to ethernet media converter in the wall can be a problem. You save 50 bucks on gpon sfp and another 50 on sfp slot.

XGS PON is not GPON (and while both PON variants can simultaneously coexist in the same segment, user side ONTs are either for GPON or for XGSPON), make sure to look for XGSPON SFP modules if you go that route, and I bet these will be SFP+. I would first ask the ISP, and then check their customer forums whether anybody got an sfp module working...

+1 for the GL-MT6000 if it fits into your budget.

Also Cudy is cheap where available and easy to install
https://openwrt.org/toh/views/toh_available_16128_ax-wifi

What are your thought on the Cudy WR3000 AX3000 Router for my use case?

After research, I was leaning toward the R4 since current price on aliexpress is 156$ CAD while the mt-6000 is going for 200$ CAD on their official website. Is there any information I need to know before hand before I pull the trigger

Are you sure you selected the whole set for R4? Cause it sounds like you selected "Only Board" option looking at the price, which doesn't include wifi antennas, wifi 7 card, power supply and case.

If you're still doing research on switches, I can recommend this one:

It is a semi-managed switch, price point slightly above an unmanaged/dumb switch, support up to 32 802.1q VLANs and a few extra L2 switch features.

I have two of these in my home. NanoPi R4S as router, TL-SG108E as main switch, TL-SG105E in another room and three Xiaomi AX3000T as WiFi access points.

with further research, what are you thought on the Raspberry Pi 5 acting as my main router, the retail price for the gl-mt6000 is 200$ CAD while the rpi5 is 130, I have an old dumb ap I could reuse for my setup in addition to a managed 8 ports switches

raspberry has one gigabit interface, check nanopi-s

that was my first choice but I couldn't find any local Canadian retailer that are selling them. Do you know other option other than aliexpress and amazon ?

Google says walmart