For the home/lab, an second-hand enterprise network main switch and an OSS router like OPNsense to enforce security policies on the wired side of things. For WiFi gear, I've been a fan of Ubiquiti APs managed by a self-installed UniFi instance without cloud features. This, and some custom glue jobs/scripts on the unifi VM, make it easier to track down troublemakers and lock them down so they can't just dial-home or self-update and brick themselves.

PSA: Don't connect any TV used a dumb monitor to the internet. This is like connecting your toaster to the internet and begging for trouble.