pfSense can’t run on a Raspberry Pi from what I know. You can make a router out of it, but it’s a bit silly, unless you got a CM4 with 2 ethernet ports (or more) or if you are going to use it as either a wireless AP, or get internet through a WWAN.
Assuming you don’t really care that much about your connection to the outside world, then you probably don’t need anything more than a WRT. The reason why I prefer having at least a FOSS hardware, preferably something based on OpenBSD, but if that’s not available, a light version of linux that receives security updates, is that most ISP and consumer all-in-one routers that you buy from the store are easy targets for hackers. So if you can’t remove the ISP router (or using it in bridge mode), using a firewall in-between the ISP router and your internal network will prevent the damage spreading to your internal network. Currently there doesn’t appear to have been any ransomeware attacks that involve getting into vulnerable routers, but it’s just a matter of time.
In your case, if a pfSense hardware is not an option, the next best thing is to use a single board computer like the Raspberry Pi, or preferably something with 2 ethernet ports, like a NanoPi R4S and use that as a firewall. If you get a managed switch, you should be able to do some cool stuff with it. But note that I never used a NanoPi or RPi with a managed switch, so I’m not entirely sure if their ethernet ports support VLANs.
But again, if you don’t care much about that stuff, all you need is either a pf or iptables firewall between your internal network and your very vulnerable device that connects you to the outside world and that should be good enough.