@mouseskowitz Thank you so much for your recommendations and especially for including your thinking behind them in your answer.
One followup question: Looking at the Netgate specs, I am noticing that IPSec performance appears on the low side, topping out at ~2.8Gbps using AES128-CBC.
How/if would your recommendations change if a large percentage of the uplink traffic were AES256-GCM IPSec tunnels? While likely infrequent, I can see total IPSec traffic burst to about 4Gbps before long. Thanks!