Let`s say I`m not too clever, it is not that I`m. I like to learn.

What would be best to secure home WiFI router, ?
from external activities/attacks of people and programs trying to use your network.

Well, my method is a bit stone-age method as I switched off WIFI signal and I am on cable.
Let me be clear, it is not about from-internet activities as you have antiviruses, monitors and firewalls, it is about securing a home router from stealing your broadband by nearby devices/people.

Please express your valuable opinion,
maybe you will help someone,
to download games faster. ^

To be clear; do you want your internal network extra secure or just prevent people from leeching internet access? For the latter: just use WPA2 and set up a good username/password. Maybe turn off SSID broadcasting, if you like. Whitelisting only certain MAC addresses is another option. It's not a "stone-age method", it's actually the best way to network non mobile devices. Here, all computers are connected with ethernet cable. Wifi is only used for internet access and can't be used to reach the internal network (it's on a separate router).

If you currently use a modem/router provided by your ISP - don't use it for your network; get your own router!
(with router I mean a router/switch/AP combination... but they're usually just called "router")

I have a feeling, that other people know more than me about wifi-security (it's not really my specialty). But i could add some general points:

If you use a closed-system router (probably given to you by your internet provider), then you'll never can be sure that the system is secure and kept up-to date. An open e.g. linux or bsd based system is probably the better choice, if your provider gives you a choice in that matter, which isn't always the case.

Antivirus is something that can give you a false feeling of security and also add more potential attacking vectors, since there have been found many security holes in the past in those packages.

If you think you need anti-virus, you are most certainly using Windows as operating system, and if you are using Windows, you really really should keep it up to date. The best choice in these cases might be to use the anti-virus solution that comes with the system, not some 3rd party solution.

Preventing people from stealing bandwidth is the same as preventing them from intruding your home network in general, which boils down to "how do i prevent people from hacking my wifi". Use long passwords, use the latest encryption algorithms and keep your software up to date. Doing things like disabling SSID-broadcasting or MAC filters on top of that might help a little, but i wouldn't rely on that.

In case you are forced to use your closed-internet-provider-router, you are out of luck, and might be better off if you disable the WIFI on that system and buy (or build) yourself a better standalone access-point.

Read my post - you can easily separate them.

I read your post, nothing wrong with it. You can always create a more complex and more secure solution.That is why a made some general points without knowing more about Seb7's internal infrastructure.

It's actually not very complex. The ISP router/modem has Wifi. My own router, connected to it, doesn't (turned off). All networked devices (internal network) are only connected to my own router.

If you're thinking of VRF, yeah that's a bit more work ('complex') to set up.
https://en.wikipedia.org/wiki/Virtual_routing_and_forwarding

Still, unless you have reasons to believe that skilled hackers want to do a local heist (wifi vicinity), WPA2+good user/pass is perfectly safe.

Yeah... that's the limitation. But your example: The TV is a non-mobile/portable device. Does yours not have an ethernet port?
I'll always prefer my own HTPC or media player. Currently using an Nvidia Shield...

Nope, they saved a few bucks by not adding RJ45. And it is not the only device. My audio-streamer (self made) also has no ethernet (to avoid the ground loop) and also need internet (streaming) and the same NAS (also streaming).

Concerning the media-streamer like shield - yes, but the very popular FireTV has no ethernet either, many companies drop it to save a few cents, which is not a good idea.

I remember we had a really long discussion when I went to school (and later in fact) about how effective it was to hide SSID, to use MAC filtering and VLANs to prevent unauthorized access to/on the network... but if there was one thing we actually was agreeing on and that was the fact that WEP was already a disaster the moment the idea was conceived :D

Kinda like the POP protocol was made in a time were they didn't think much of security but on how much the world would benefit from it. Disabling SSID will in most cases make the client openly ask "Where is xxxx" and you're just back to square one again, and using MAC filtering is actually more work than it's worth it as anyone can fake it on Linux and Windows (after finding it by sniffing arps).

But yes, security wise, cutting the wifi signals is actually the best way to prevent unauthorized access. Accessing and decrypting with rainbow tables are way more easier than getting access physically to a router or a switch, just like being able to detect and monitor old TV/PC tube screens from far away as early as the 70s and the 80s (since the electromagnetic waves are "bleeding" without proper shielding). We're talking about seconds to hours in worst case when cracking even WPA2 if the password is short. "Wardriving" anyone?

Then again, this would seriously hamper any type of classic "mobility" for the workers, so it's best to have long passwords/passphrases. Just take note that Windows has a 16 character limit (or did like XP and 7. Don't remember about 10 now) for passwords, but Linux doesn't.

In many countries you are explicitly responsible for the network you have; if you let it be open and someone are doing something illegal you can risk getting the local law or FBI after you (even if you secured it).

EDIT:
https://www.thewindowsclub.com/maximum-length-of-password-windows-10

"To sum up what is the maximum password length in Windows 10 –

The minimum length is 8 characters and the maximum is 127 characters for a Local Account
If you use Microsoft Account to log into your Windows 10 machine, you cannot use more than 16 characters
If you are using operating systems older than NT, limit the passwords to 14 characters else you’d face login problems."

Well, another reason to NOT use Windows if security is very important :D

Most "media-streamers" aren't that much better than what's already built-in in most modern TVs. IMO, the Shield is a lot closer to a (self built) HTPC, that costs a lot more.
I'd like to have a NAS, but currently I can do without (considering the expense). My media library resides on 3 USB HDDs, connected to the Shield (via a USB hub). I can access those files with any networked PC.

Yup, the Shield is actually pretty cool. I am seriously considering getting one for a long time now.

Disabling SSID and MAC filtering is on top of WPA2+good/pass.
WPA2 isn't perfect, but I can't imagine that anyone with the know-how to circumvent it is going for random users just for the free internet or sniffing around their files.

Yes, for the sake of brevity i cut out your first part to which i totally agree.

Wifi is an existing (and still expanding) technology, many IoT devices use it and are a ticking time-bomb whenever new holes in their IP or wireless stacks are found, since many of them will never get firmware updates with the necessary patches, and quite some of them are openly reachable via internet (hello bot-net!). Some of them will probably be in your home network soon, trying to poke holes in any security concept you are going to make. So fun times are coming. :)

I live in one of those countries you mentioned - that is why non-commercial public Wifi is such a rare phenomenon here compared to other countries, which really sucks.

Not relevant for you, but the latest Shield update now has SMB3 Server functionality (long overdue).
The support/updates/functionality the Shield gets doesn't compare to any other media player. The Xtreamer I had 10+ years ago now just seems "funny".
I'd say it only sucks if you can't even afford the cheapest mobile internet (4G). I have pre-paid and because of working at home (covid reasons) I don't even need it most of the time (thus not paying for it).
Over here... some ISPs (the big ones) have non commercial hot spot functionality that's built-in into their modem/routers, completely separate from personal networking. Downside: only accessible to customers of those ISPs.