jstorm’s advice is excellent. You will certainly want automated observation of the devices, persistent logging, and notifications of anomalous behavior.
Network segmentation will require a decent (i.e., non-consumer) edge router and managed switches (with which to establish VLANs). The router can be accomplished using hardware or software running in a dedicated or virtual machine. Prices start at free, $100 (e.g. for Ubiquiti and Mikrotik gear), and go up from there. Managed switches start around $50. Building something yourself (e.g., pfSense in a VM) will save money at the cost of time (and adds the benefit of understanding how such things work).
You may want to take a look at Security Onion (https://security-onion-solutions.github.io/security-onion/) to get a sense of the types of applications used for IDS, IPS, logging, analysis, alerting, and so forth. The apps in that bundle are good examples and save quite a bit of work of manual assembly. There are others, however, also freely available, and your cost is just the time spent acquiring competence with them.
You’ll need a dedicated or virtual system with which to run the observation and analysis stuff. This will likely cost north of $600.
Expect to spend 200+ hours initially and at least several hours per week thereafter. Probably more. Some of that time should be spent learning to use Wireshark.