I have operated a Linux-based firewall for many years now. I have used Smoothwall in the past. I hear good things about pfSense.
I do not like commercial firewalls because I always find that constrain my desired usage in some way. YMMV
Here's a few things that I have learned from running a Linux-based firewall:
- The CPU is not likely to saturate/overload unless you are performing DPI (Deep Packet Inspection, for "intrusion detection") or running other "heavy apps" on the firewall.
- Intel NICs are the way to go. Realtek NICs seem to die or perform poorly compared to Intel NICs when they have to operate around the clock.
- Memory usage should be low unless you are doing DPI or running other "heavy apps" on the firewall.
- A good Linux kernel shuttles packets from NIC to NIC via memory, and does so without any delay that you will notice.
- You should achieve "almost" 1Gbps speeds without issue. Remember there will always be some packet overhead to take away from your total speed.
My current firewall is built on an old (can't buy it any more) Supermicro motherboard, an X11SBA-LN4F that is Mini-ITX format. That uses a Pentium 3700 CPU. I monitor the firewall with Monitorix. My CPU load is typically around 0.2 percent. My memory usage is about 1GB. That platform only sees it's usage surge when I perform Linux updates! You might think CPU and memory usage would surge if you ran multiple Youtube streams, but my experience say, "Nope."
I have run Linux-based firewall software on an even older Supermicro X7SPA-H that is Mini-ITX format and has dual Intel 1Gbps NICs. It uses the old Intel Atom in-order CPU design. It easily handled the firewall job for me, though it's CPU and memory did experience more loading compared to the Intel Pentium 3700 platform.
Some Mini-ITX boards from ASRock and others now have dual Intel NICs. Some only have a PCIe x1 slot (likely a SoC-based board) and others have a PCIe x16 slot (likely a standard desktop CPU board. You can find multiport Intel NIC cards that "should work" in the PCIe x16 slot, but some motherboard vendors are dorks and do something that only allows video cards to work in those slots.
Even a lowest-end dual-core Intel Celeron CPU should have no issues running Linux-based firewall software. If you do DPI or run some "heavy apps" on the firewall then you might have to scale up the CPU and memory. For purposes of experimenting I once scaled my firewall up to an Intel i3-3240 Ivy Bridge CPU and then an Intel C2558-based board. The performance stats from those experiments proved that those CPUs were never pushed to any of their limits; CPU load was something like 0.1 percent at all times.
Consider carefully how you will use the firewall. DPI is reasonable, but it can be CPU and memory intensive, and then you have to consider who is going to review & maintain the DPI function/rules. Running a local DNS and DHCP setup, commonly done with "dnsmasq" under Linux, is reasonable, but be certain to properly secure it. Running other apps, like a database or a drive storage array, might create unwanted security risks. Wi-Fi is another potential security risk. If you stick to something like pfSense or Smoothwall you should be ok since they are very cautious about their product designs.
In closing, the usage and performance profile of a firewall is different, very different, from any desktop and most server computers. That profile difference is due to the very specific nature of a firewall's job, and I am assuming a "purist definition" here, not a "throw everything you want/think into a single box" approach.