I'm using pfSense too, had it on a regular PC but was getting some problems with the network interfaces,
it would randomly (about every second month) start dropping all packages from WAN and would have to be rebooted.
Installed it on an old HP Proliant and problem was gone (and an other good thing is that the hardware will last longer then a regular crappy PC)
Was testing QoS but didn't manage to set it up good enough, so I'm running without and never had any sound issues.
My carrier only allows SIP (and uses a huge port-span for RTP) so I setup rules to only allow the carriers IP-addresses to talk to my network and deny all other.
For remote administration I only got one random port open for SSH with "Disable Password login for Secure Shell (KEY only)" and using a password protected key,
and using the power of SSH for all my needs, like be able to access the webbui:ssh -L 12345:local-server-ip:80 user@external-ip
then I can access the webbui in a browser on http://127.0.0.1:12345
all traffic goes through ssh and thus no clear-text passwords being sent over the internet
(this can be done in putty too for those who dont use a better OS
or setup a local proxy though ssh:ssh -D 8080 user@external-ip
now you can access all your webbservers inside your network when you tell your browser to use 127.0.0.1:8080 as a SOCKS-proxy, all traffic securely over ssh!
I even manage to use a IAX2 softphone tunneling over ssh from an other country to make calls from my server (but it was a bit harder then tunneling a single port or the proxy method)
And the local network setup is a bit hard to explain, but the basics is that the agents and admins are separated using rules in the firewall