I recommend putting public-facing devices on a separate VLAN, and run as much as possible through a reverse proxy, to only have a single port open. Network monitoring is important too.
I used to have one TL-SG105 and I solved this problem by connecting port 1 to the upstream router on first boot, so it can get an IP assigned by the router’s DHCP server and not create it’s own, breaking your entire network.