I would try and set something up on your old hardware, and try it out.
Use it as a learning experience.

Gigabit packet forwarding (even basic NAT) isn’t super heavy.

When I was trying it out, I used some old $50 refurbished thing from eBay with like 2 cored and 4gb or ram.
Only upgrade I made was to install an Intel 4port ethernet card, mostly because it was a widely recommended one, and I could pick one up for like $20. I only ever used 2 ports on it - wan and lan.

When I first started playing, I used my ISP router as a modem/router, and DMZ’d opnsense. Opnsense was the only thing connected to the ISP routers lan.
This meant that my opnsense had a private ip (ie rfc1918) for its wan port, and I would have a double-nat (outbound packets from my actual lan would get nat’d from opnsense’s wan IP (which was inside the ISPs routers lan), then the ISP router would nat that onto its public IP).
I never had any issues with double nat, but I only had a small network.
As the opnsense box was the DMZ for the ISP router, all incoming traffic was forwarded to opnsense, which could then control port forwarding to wherever. So I didn’t have any complications with port forwarding.

My next upgrade was a more dedicated opnsense box (one of those 4-port fanless nameless nucs for ~$300).
I also bought a bridge modem, so that opnsense could do the PPPoE (or whatever it was) connection and take the public IP directly.

After that, I bought a managed switch with VLANs.
However, I still only use 2 physical ports on my opnsense box (which was a mistake). 1 for WAN, and 1 for Trunk. I then have virtual interfaces for each VLAN configured within opnsense.

I think the important minimum requirements are “decent network card”. Which, for the most part, is the recommended 4 port intel card. I can’t remember the part number, but quick Googles will probably find it.
Then, install opnsense, make sure it works, figure out how to replace your ISP router (or DMZ/double-nat).

If you ever plan on doing more complex things, my biggest recommendation is to essential keep the default assignments, then build off of them.
So opnsense will default assign a wan port and a lan port.
Use the wan port as wan, and use the LAN port as “admin access” and nothing else (ie don’t actually connect it to a network).
Then, add an additional physical interface for your actual lan (which in my case now carries the trunk for various vlans).
This makes it SUPER easy to wipe the config, reinstall or whatever using the “admin” network, then import a backup.
I made this mistake, and would often have to do “vlan shenanigans”, annoying patching, etc to get me out of trouble.
Whereas grabbing a laptop, plugging directly into the “admin” (ie default lan) port, and fixing stuff is easy as hell. Doesn’t matter if it’s a fresh wipe install, a default’d config, or active installation. I always have easy physical access (which is guaranteed by opnsense’s antilockout rules - which don’t seem to apply to anything you create)