Being aware that pfSense existed and having only recently learned about the OPNSense fork, I installed one of the OPNSense 17.1.x releases on an AMD E-450 w/2GB RAM.

I have been very pleased with both its performance, its stability and its UI. I'll probably wait a point release or two before upgrading it from 17.1.x to 17.7.x, though.

I've been using OPNSense for a couple years now and I absolutely love it. pfSense is garbage by comparison, and it makes OpenWRT look like a bad joke.

Does it have plugins to turn the thing into a decent NAS too? (is there a plugin list somewhere?)

I'm seriously considering getting a x86-based system like these https://www.aliexpress.com/item/HCiP...788794421.html
and a proper firewall distro to replace my router running OpenWRT/LEDE (because of reasons)

Anyone have any recommendation on hardware?

It all depends on the "speeds & feeds" that you need. Experience has taught me that Intel NICs have broader FW software support compared to Realtek NICs. Releases of pfSense were slow (compared to Intel support) to gain Realtek NIC support due to the underlying FreeBSD OS. Also, large port counts on a FW can get costly. A decent quad-port Intel NIC card can be in the hundreds of USD, depending on where you buy it and the Intel chipset "flavor" (I350, 82576, etc.) being used. IMHO, a FW should be treated like a router, not a switch, but the mass-market "shlock" marketing message has totally duped most people.

Given that a FW needs to be "on" 24x7 to be truly useful (and assuming an "always on" Internet connection), a highly reliable motherboard & power supply combo is a good start (a "must have"). I prefer "server class" motherboards over "desktop boards" since "server class" boards are designed for 24x7 operation. I have found Supermicro boards quite suitable for that requirement, but there may be others out there. What I like about Supermicro boards is: (1) stable and few BIOS releases; (2) long-term support (some up to 7 years) for some of their boards; (3) compatibility with a wide range of modern (Windows 7 and newer in some cases, Linux distros like RHEL & SuSE, etc.) OS software; (4) none of my Supermicro boards have failed on me in 10+ years of ownership.

Another aspect to consider in a 24x7 setup is "power quality". A high quality UPS that has strong input filtering abilities and stable output will prolong the lifetime of whatever FW hardware you choose to use. I prefer "line interactive" UPS units that I can monitor with "nut" ("Network UPS Tools") under Linux. Connect your cable modem or similar interface device and the FW to the UPS and you can sustain most brief power disruptions and even gracefully shutdown systems (which can speed up the system restart process, especially if the FW has a NAS function).

A FW does not normally need a high-power or high-clock CPU. A "bottom of the line" dual-core Celeron works just as well as any Intel SoC (J1900 or Avoton/Rangeley) chip. Even the older "in-order processing" Intel ATOM processors can handle FW duties. I have used all of those types at one time or another, depending on my needs. A FreeBSD-based FW like pfSense and it's derivatives along with almost any modern Linux distro should run fine on a modern motherboard with Intel NICs, a low-end CPU or even SoC, and 4GB of RAM (assume CLI and not a "windowed desktop" UI). I doubt the web interface of FreeBSD-based FW software will load down the CPU; you would think those FW software designers have considered that aspect (but it never hurts to check).

If you load up lots of other tasks on your FW, then you have to consider the potential "attack surfaces" that could be exposed. Adding a NAS function to a FW can add load to the CPU depending on the usage of RAID, ZFS, etc. Adding virtualization and/or containers to a FW can become an even bigger security hole due to "weak security" in some container designs.

If you are truly comfortable with the underlying OS, perhaps you should make some effort to learn how to directly program "pf" in FreeBSD or "shorewall" (easier than learning "iptables" and so on) in Linux. Yes, you give up the reporting aspects of a fancy GUI, but you gain some education and the ability to truly customize your FW to meet YOUR NEEDS.

What exactly makes pfsense garbage? Do you care to explain? I use pfsense and would like to know why I shouldn't.