I am a fan of Sophos and their XG (and SG) firewalls, endpoint etc.
I run a XG Home on an i3, 6GB Ram, 120GB SSD Shuttle PC with dual NIC's. There are some policy exceptions that needs to be allowed to not have the family freaking out because they can't access Instagram, Twitter, Whatsapp etc.
Under Protect --> Web --> Exceptions I have found adding the following helps:
^([A-Za-z0-9.-]*\.)?50\.22\.2[0-5][0-5]\.
^([A-Za-z0-9.-]*\.)?whatsapp\.net\.?/
^([A-Za-z0-9.-]*\.)?whatsapp\.com
^([A-Za-z0-9.-]*\.)?50\.22\.19[2-9]\.
^([A-Za-z0-9.-]*\.)?whatsapp\.net
^([A-Za-z0-9.-]*\.)?teamviewer\.com/?
^([A-Za-z0-9.-]*\.)?1e100\.net\.?/
^([A-Za-z0-9.-]*\.)?twimg\.com
^([A-Za-z0-9.-]*\.)?twitter\.com
^([A-Za-z0-9.-]*\.)?fbcdn\.net
^([A-Za-z0-9.-]*\.)?instagram\.com
^([A-Za-z0-9.-]*\.)?instagram\.net
^([A-Za-z0-9.-]*\.)?instagram\.net\.?/
^([A-Za-z0-9.-]*\.)?dropboxstatic\.com/
^([A-Za-z0-9.-]*\.)?dropbox-api\.arkoselabs\.com/
^([A-Za-z0-9.-]*\.)?dropboxpartners\.com/
^([A-Za-z0-9.-]*\.)?google\.com/
^([A-Za-z0-9.-]*\.)?dropboxmail\.com/
^([A-Za-z0-9.-]*\.)?db\.tt/
^([A-Za-z0-9.-]*\.)?dropboxcaptcha\.com/
^([A-Za-z0-9.-]*\.)?dropboxapi\.com/
^([A-Za-z0-9.-]*\.)?dropboxforum\.com/
^([A-Za-z0-9.-]*\.)?paper\.dropbox\.com/
^([A-Za-z0-9.-]*\.)?dropboxbusiness\.com/
^([A-Za-z0-9.-]*\.)?dropboxforums\.com/
^([A-Za-z0-9.-]*\.)?cdn\.arkoselabs\.com/
^([A-Za-z0-9.-]*\.)?dropbox-dns\.com/
^([A-Za-z0-9.-]*\.)?instructorledlearning\.dropboxbusiness\.com/
^([A-Za-z0-9.-]*\.)?getdropbox\.com/
^([A-Za-z0-9.-]*\.)?dropbox\.com/
^([A-Za-z0-9.-]*\.)?dropbox\.zendesk\.com/
^([A-Za-z0-9.-]*\.)?paper-attachments\.s3\.amazonaws\.com/
^([A-Za-z0-9.-]*\.)?dropboxinsiders\.com/
^([A-Za-z0-9.-]*\.)?anz\.com\.?/
^([A-Za-z0-9.-]*\.)?icloud\.com\.?/
^([A-Za-z0-9.-]*\.)?mzstatic\.com\.?/
^([A-Za-z0-9.-]*\.)?android\.clients\.google\.com/
^([A-Za-z0-9.-]*\.)?apple\.com\.?/
^([A-Za-z0-9.-]*\.)?icloud\.com\.?/
^([A-Za-z0-9.-]*\.)?cdn-apple\.com\.?/