Sounds like you'd want a decent wired only router, a NAS (for the network drive/media server part) and a PoE switch that can power your security cameras and/or access points. With all the nooks and crannies you say you've got there should be a way to run wires (and it will be more reliable than mesh if you have lots of network users).
I built this as a revision to my 8700K setup and it's humming along doing more than what you're looking for. I have it setup as a router / firewall / NAS / DVR / VPN (whole LAN) / Plex / etc. The reason for going big on the CPU for me is the processing of video files is quite snappy compared to lower level CPU's I've used in the past with Plex. VPN also runs at line speed using wireguard / Nordvpn which is nice with a 1gbps connection getting at least 90% of the speed while connected vs OVPN that legacy providers use.
For the AP though I used to use an internal 2600AC card but, switched to a NWA210AX due to no NIC's offering WIFI6 and there still aren't any on the market that can host in AP mode. The AP does cover 1300sq ft with no dead spots anywhere w/ drywall / steel studs.
its older article but gives you a heavier view on what CAN be done in a home.
Get a good wired router. Get some dedicated APs and run LAN lines for them. Backbone routing ALWAYS wins over mesh. (i personally have Ubiquiti AC-Lite and run the controller software in a docker container on my router.)
Your cameras? I'd have them off a POE switch (which will come in handy for the POE for the APs) and most likely run it off your NAS or even a separate pc or device (i know some people run them via raspberry pi's)
As for parental control/adblocking? Ad Guard Home.
if you run an OpenWrt router you can even install it via the opkg system or use my thread to install the latest edge builds.
the Edge build thread.
As for Media Server? I have a Raspberry Pi4 with a powered USB hub and couple of external drives attached. The Pi runs Plex Media server and hosts my media. The Pi runs Ubuntu and the plex stuff sits in a docker.
Like already said, aim for wired backbone (at least between floors and the most remote nooks).
With lots of kids, lots of users, you should aim for modern WiFi hardware, meaning good concurrent multiple connections. 802.11ax devices (AC as fallback option).
You want CPU power for the main router, for loadbalancing SQM, adblock, etc.
I just helped my sister to modernize her house and as her ISP fiber connections endpoint is in a room with thick walls, we ended up with a router there and two APs elsewhere in the house, connected with wired cables. I selected RT3200/E8450 as the device. Modern 64bit CPU, WiFi 6 ax, good OpenWrt support (in master, not yet in 21.02). The weak point of the device is internal WiFi antennas: the wifi range is not that good. But it is priceworthy, as we got several routers at the same total price as one really powerful top-end router. And there aren't that many OpenWrt supported ax devices, yet.
Thank you all so much for the guidance! And the reading suggestions.
PoE seems inevitable for the security cameras. I hadn't thought about powering the access points, so thank you for that.
A PC as a router, etc. feels like overkill, but probably makes sense given the security cameras. What OS does it need to run? Sounds like fun, but a steep learning curve.
The primary router would go in the basement under the garage, and no need for wireless there. So the cable modem sits next to it, goes to the router, and then to a PoE switch, then to 3 access points? When I do the cameras I would need a PoE switch in the attic. I may not have power up there though.
OpenWrt runs on the PC. The access points too?
I have access above and below my house, but that middle floor is a problem. The many vertical voids are all sealed. I wish I could run wiring through the ventilation. Anyone have a tiny drone with a drill?
Router OS? OpenWrt with luci for interface.
For a pi or other device like nas you can run anything really. i use Ubuntu on my pi, but i've also previously used FreeNas on other devices.
I leave my AP running Ubiquity firmware. You can install OpenWrt on some of their APs but tbh i prefer their firmware and the docker controller.
^this. Unless you are reasonably confident at cabling. Also do ensure you use shielded cable.
You want at bare minimum cat 5e. ideally 6a or 7 would be best. There shouldn't be that much difference in cost for the cable but it does mean you will potentially be able to run 10Gb over it (if its under 250m) However switches to run that speed are expensive. 1Gb switches are cheap and the bare minimum for a home really.
Plan out where you want your data cabinet (where all the wiring comes back to) Put your poe switch there along with your patch panel. The other way is to just run cables and put cat5 ends on them. Personally i prefer using patch panels to make it professional and easier to manage. The bonus with POE is you only require a single lan cable. Depending on your cable lengths you may not even need a 2nd POE in the attic. Ideally you want to keep to below 250m lengths.
As for running cables through your ventilation. Its possible. A cable snake is a useful tool.
Fully doable, I agree. As network amateur however, I prefer the simplicity of OpenWrt where quite a lot of common network configurations can be performed following simple recipes via the GUI (just think firewall here).
There is some value in keeping the router (add all functionality that only works over the network anyway if you must) separate from the "servers" that way both can be independently updated/rebooted without one affecting each other, if everything runs as VMs on one physical machine that can become tricky fast.
Confidence is key here, running your own cables isn't difficult conceptually, it can just be tedious.
Make that 100m, that is ethernet allows at max 100m, if the cable quality is sufficient for the respective ethernet speed. I would guess that for say 10-15m even cat5e would allow 10Gbps ethernet, but have not tried it myself. 2.5 Gbps ethernet however was designed to work over 100m of cat5e (5 Gbps and 10Gbps ethernet will work over cat6A). 40Gbps ethernet wants cat8 cables...
Typically in ones own property, going for cable ducts is most future proof, so that in case fiber in the home will be the next big thing you can easily replace the existing wires/sockets.
For ethernet the traditional length limit is 100m otherwise you need to add a switch in between and daisy chain 100m segments. Or I am missing something and the true limit is 250m... Thanks to @mercygroundabyss for pointing this out, 100m are the traditional limit for XBaseT ethernet over twisted pair cables, I had forgotten all about the fun of having to put terminators on coaxial cable runs (so the bits don't fall out, was the wrong memory aid), thanks to $DEITY I never had contact with thick ethernet, only "cheapernet"....
But ideally you shouldn't go beyond 100m. It will also depend on the temperatures you install it in.
This explains more. They have a nice series on explaining cables, shielded vs unshielded and other cable regs. One i learnt is that you are only allowed so much external rated cabling inside a building. That one was new to me.
According to the NEC (National Electric Code) section 800.113, since CMX Ethernet cable is not fire rated it must not run indoors more than 50 feet before termination in any commercial structure. For residential single family and duplex dwellings, CMX Ethernet cable is permitted to be used as indoor/outdoor cable without restriction with the caveat that it cannot exceed 0.25” thickness (OD or outer diameter).
^this. Keep your router for routing. put other things elsewhere. its why my plex lives on my pi and my unifi controller on my router. Your family will very quickly hate you if you reboot the router while playing with things. As the joke goes. Want to meet the family? turn off the wifi.
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:PERMIT-FWD - [0:0]
:PERMIT-IN - [0:0]
:PERMIT-OUT - [0:0]
-A INPUT -j PERMIT-IN
-A FORWARD -j PERMIT-FWD
-A OUTPUT -j PERMIT-OUT
-A PERMIT-FWD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PERMIT-FWD -m conntrack --ctstate NEW -j ACCEPT
-A PERMIT-FWD -j DROP
-A PERMIT-IN -i lo -j ACCEPT
-A PERMIT-IN -i br0 -j ACCEPT
-A PERMIT-IN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PERMIT-IN -j DROP
-A PERMIT-OUT -o lo -j ACCEPT
-A PERMIT-OUT -o br0 -j ACCEPT
-A PERMIT-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PERMIT-OUT -m conntrack --ctstate NEW -j ACCEPT
-A PERMIT-OUT -j DROP
# Completed on Sun Jan 23 20:51:32 2022
# Generated by iptables-save v1.8.7 on Sun Jan 23 20:51:32 2022
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o bo0 -j MASQUERADE
Shielded Ethernet cables are generally overkill for residential cabling, unless your planning to run the cables near something outputting a substantial amount of electromagnet interference, e.g. a generator. Or if your forced to run Ethernet cabling right next to power cables for a significant distance. They're also much more of a pain to work with and if you don't terminate and ground it properly then you'll probably end up in a worse situation.
It's much simpler to stick with unshielded and just think about your cable runs.
I am happy to trust that this is the case for you. But I was pretty explicit about the context and that this is my subjective assessment:
I think I am fully capable of working my way through iptablesnftables/tc man pages to get things configured as I desire, but I still appreciate that opening a new port (-range) in OpenWrt's GUI is so intuitive that I do not need to read man pages. I am willing to bet that I am not alone in looking at the issue this way. I also appreciate OpenWrt's abstraction layer that allows me to configure a quite diverse set of "things" with one config language/GUI, as much as I like Ubuntu, that is not Ubuntu's forte IMHO.