Funny, that is very similar to what I'm doing. I like the write up, I will read it all when I get some time. Looking at my work in progress revised plans to configure eth1-4 as a "trunk switch", going zone based might not give me anything useful.
To add to the plans, I will also be looking at how to route a specific port range through an OpenVPN connection as well.
After that (and it may just be wishful thinking) I'd like to see if there is a way that I can get the ERx to do "VPN on demand". I'd be interested in having it connect to my AWS account as needed, so that I have a secure connection there but don't want it connected all the time since you're billed by usage.