Hi,
To answer a few more questions from the OP,
pfSense is good. At some point someone might need more routing horsepower than its software stack can provide, but that point is probably in the 5-10 Gbps range judging by the L3 forwarding / firewalling specs listed here https://www.netgate.com/products/appliances/ Netgate does have a "next generation" platform called TNSR that has much, much higher bandwidth potential but beyond that I don't know anything about it. Bottom line, pfSense can do everything most small-medium businesses need to do, as well as "prosumer" / "hobby" networks.
pfSense is meant to be a router/firewall. You can use it for other things if you jam it in there, but it's intended to be the main router/firewall between one or more LANs and one or more WANs, and you can throw a bunch of VPNs in there if you need to, too. There is no need for another dedicated router in the system at all. Once you go pfSense, there is no reason for anything openwrt, ddwrt, etc, etc.
pfSense is a software package. Netgate also sells appliances built for it, with it pre-installed. They also sell service contracts, etc.
I've used both their appliances (SG3100) and installs on my hardware. The advantage of using one of their appliances is that the hardware is known good to go, simplicity, and, yeah, it's an "appliance." The advantage of using it on your own hardware is that it's cheaper if you have an appropriate machine sitting around-- does not have to be cutting edge by any means-- and you have more hardware flexibility (and cheaper) if you want to have more or different NICs than you could get from them. It also might be easier to resurrect a setup if you have a hardware failure. I personally find having about 4x 1 Gbe ports and 1x or 2x SFP+ ports to be most flexible and useful for my setups.
VLANs are not bad to set up on pfSense, but have the potential pitfall I mentioned earlier. In most VLAN setups, you will need to configure the VLANS on your switches and assigned the untagged/tagged ports correctly.
If you do use a layer 3 switch for inter VLAN filtering, the ACL's are much less flexible and much less easy to configure than they are on pfSense, but that's the price you pay for raw speed.