ben_zen

Don't forget, for short enough runs you can use SFP+ DACs and skip the transceiver bit. Honestly, reconsider if you need twisted pair, and use copper transceivers where you need to. You're unfortunately looking to thread the needle with good, quiet, and cheap. That doesn't usually happen; if you can deal with noise, a lot of older 10GbE Arista hardware is showing up on ebay, but it can get loud if you don't have proper cooling (even if you do, sometimes). In terms of an edge router, get a cheap older (2012-ish) server, add a 10GbE SFP+ NIC to it, and either run OPNsense/pfSense on it directly, or in a VM. I've had no issue routing 10 gig traffic between networks with that setup--even when the firewall's a VM. I use a Unifi AP AC lite in my apartment; unless you really need the distance, that'll do fine.

Surfboards are the way to go for the modem; a friend just upgraded to the SB8200, and it's working well for him. There's really two main benefits of a DOCSIS 3 modem at the moment: the protocol is more frequency- and modulation-efficient, so the provider's able to get more out of the same resources, and there's not as many people using it right now, so there's less congestion on the DOCSIS backhaul. As for routers, I have a hard time recommending really any consumer equipment, but for that space I'd recommend one of the mesh systems, like Netgear's Orbi, or if you're willing to go into prosumer or pro hardware, looking at something like the Unifi Dream Machine with some extra APs throughout the house. Plus, with the second option, you get to start learning more about how to really tackle networking!

So your firewall is picking up a DHCP address appropriately; can you reach other well-known internet addresses from the firewall? Say, pinging 8.8.8.8. If you can, I'd suggest making sure you've enabled IP masquerading and make sure that forwarding is turned on for all of the interfaces you want to have traffic forwarded across! In the shorewall config demo, I see a reference to Debian: https://shorewall.org/three-interface.htm#SNAT

You would probably want to look into a PCIe to M.2 adapter and look at M.2 WWAN cards; another option is to get a hotspot from Calyx Institute, if you're going to be in an area with Sprint coverage.

Routers are often not the best from a software perspective, and they can often fail to clean up logs and caches-especially caches. If you're seeing lots of issues with speed, try forcing your router to drop its ARP table; if that's got stale or wrong entries, the router might be trying to send traffic to the wrong locations or use slow paths. It looks like the manual doesn't really provide options for this, so doing a full reset may be the only real option.