With respect to the Protectli box, they recommend either the FW6B or FW6C for 1Gbps throughput requirements. I'm only at 100Mbps, and have had no issues with the cheaper machine.

BTW, Protectli can also run pfSense, if you don't want to shell out for the NetGate branded hardware.

I have not tried running reports from opnSense to look at what's communicating to the outside world -- I also run a pihole, and generally just look at that, instead, because if it's communication I don't want (i.e. to ad servers), I'm going to blacklist it there, anyway, before I start trying to craft special rules on the firewall.