Sean,
the main complexity in your setup will probably come from the
fact that you want to use VLANs on firewall machines. That means
you need one virtual interface per VLAN (that is the only way
known to me to get packets tagged on layer 2). Of course, that
also means you have to deal which each and every one of these
interfaces on layer 3 (routing and firewalling). Any solution
which hopes to scale with the growing number of VLANs has to solve
this problem. I'm working on the very similar setup to yours and
I still do not see a simple and elegant way to deal with this
problem. Of course, if the number of networks is limited to three
or four, then you won't have too much trouble (actually, in that
case I would rather use separate physical interfaces instead of
VLANs).
The second problem is that netfilter does not offer connection
tracking synchronization features present in expensive commercial
products. That is usually not the problem because much of the
traffic is single request-response (think HTTP), but when one
machine goes down, the state information gets lost. Anyway,
you still can build a pretty nice solution with keepalived
or heartbeat.
Kresimir