Your ISP router is pretty good at routing traffic across your local area network (LAN) and handling external requests, but it's rather basic in terms of features and functionality. This has improved over the years, and providers now ship some decent units for customers, but these still often pale in comparison to what can be created through the DIY route. Before setting off on this journey, it can prove a little daunting to even consider creating your own router and firewall. To laymen, these are some advanced devices, but really, all you require is a mini PC, a bootable drive with OPNsense, and you're effectively good to go.
What makes for a good router?
It's easier to choose than you think
The first port of call is to choose a mini PC. Not all of them will make for a good router and firewall. For instance, we require at least two LAN ports for handling WAN (wide area network) and LAN traffic. Basically, the WAN port will be used to facilitate communication between your ISP modem or optical network terminal (ONT) and the mini PC, while the LAN port will handle everything on your side of the device, which includes desktop PCs, access points for Wi-Fi networks, TVs, IP cameras, smart speakers, and more.
So long as the mini PC has more than two RJ45 ports, we're golden. For speeds, 1 GbE is perfectly servicable for most households. I would only recommend moving up to 2.5 GbE ports if your budget allows and if you would rather have headroom available should you eventually wish to upgrade your fiber package to one with speeds surpassing 1,000 Mb/s (1 Gb/s). This is when that 1 Gb/s link between the modem/ONT and your custom router would be fully saturated, and a bottleneck formed. Mini PCs with 5 GbE or 10 GbE ports will be pricey and largely pointless.
Pick the right NIC
One thing to bear in mind is the manufacturer of the network interface cards (NICs). I suggest looking at mini PCs with Intel NICs over those from Realtek. Next up is the CPU. This isn't as important as the LAN port selection, but it's still noteworthy since if we choose one that's slightly underpowered for what we need to use the mini PC for, we could encounter problems further down the road. Running OPNsense doesn't require vast quantities of system resources, but handling a fiber line with super-fast speeds still puts some load on the CPU.
For RAM, I would recommend between 4 and 8 GB. Any more would be overkill, and less than 4 GB may be too little when expanding OPNsense with plugins. Storage is easy; a simple 64 GB SSD will work fine. Most mini PCs with passively cooled CPUs will come barebones, so that you can pick up and install your own RAM and storage, or configure them with these components when shopping around. I suggest barebones, as you can save a few pennies by buying RAM and storage separately.
For my router, I bought a Sharevdi mini PC with an Intel N3700 processor, rocking four physical cores and a maximum boost clock speed of 2.40 GHz. It's a solid workhorse for running OPNsense and handles our fiber connection without issue — though I did have to alter a few settings to allow for workloads to spread across all cores and unlock the bandwidth we pay for. I threw 8 GB of RAM and a small 128 GB SSD I had to spare, and it was ready for OPNsense to be installed. This specific Sharevdi mini PC isn't available anymore, but you can use it as a base for your search.
OPNsense is incredible
The best firewall and routing software
After downloading the OPNsense image to a bootable drive, connecting it to the mini PC, adding Ethernet cabling to the rest of the LAN as well as the ONT, and firing the system up, I was greeted by the installer. This took a few minutes to complete, and everything was good to go. It's important to ensure you make note of which port is used for WAN and LAN, as mixing these up when performing system maintenance or such can provide a few hours' worth of headaches when first starting.
But as soon as you can load the OPNsense login page at the gateway IP in your favorite browser, you have a capable firewall and router already live and running. Your entire LAN is secured behind the mini PC, and you have full DHCP, VPN, DNS, and traffic shaping capabilities right out of the box. From here, I suggest exploring the UI. It's fairly complex and in-depth, but there's plenty of official and community-provided documentation to help explain what everything does.
Some things I would suggest doing are setting up custom DNS, attaching your VPN provider to OPNsense to create a blanket for all traffic going from your network — you can even set up grouping to avoid using the VPN for specific IPs and MAC addresses. Dynamic DNS (DDNS) is also worth checking out if you plan to self-host some services and wish to have them made available from outside your home through reverse proxies and happen to have a dynamic public IP from the ISP.
My Sharevdi mini PC hovers at around 15% with general load on the network. Short spikes take the CPU usage to around 40%, but these are brief and don't affect anything network-related, even when the entire LAN is fully saturated. Performance, even with such a cheap mini PC, is excellent thanks to the capabilities of the Intel NICs and CPU, easily handling pretty much all I can throw at it, including IP camera feeds, streaming, backup storage, heavy file transfers, and more.
It can even be run virtually
Not quite happy dedicating an entire device to OPNsense? Why not run it on an existing home lab deployment with Proxmox? Although I don't recommend doing so because if the server shuts down, your entire network falls off a cliff, some swear by running their firewall and routing firmware virtually on a consolidated system, and that's one of the greatest things about leaving your ISP router in its packaging; you can do what you want, how you want. Wish to dedicate an entire server to just OPNsense with overkill hardware? Go for it!