Sean, the main complexity in your setup will probably come from the fact that you want to use VLANs on firewall machines. That means you need one virtual interface per VLAN (that is the only way known to me to get packets tagged on layer 2). Of course, that also means you have to deal which each and every one of these interfaces on layer 3 (routing and firewalling). Any solution which hopes to scale with the growing number of VLANs has to solve this problem. I'm working on the very similar setup to yours and I still do not see a simple and elegant way to deal with this problem. Of course, if the number of networks is limited to three or four, then you won't have too much trouble (actually, in that case I would rather use separate physical interfaces instead of VLANs).
The second problem is that netfilter does not offer connection tracking synchronization features present in expensive commercial products. That is usually not the problem because much of the traffic is single request-response (think HTTP), but when one machine goes down, the state information gets lost. Anyway, you still can build a pretty nice solution with keepalived or heartbeat. Kresimir
