I appreciate all the comments so far and please keep them coming if you have an opinion!
I would go with a small itx pc with dual gygabit nic and a 4 port pcie gygabit nic. that give you 6 nic in a box.
The issue I have with using a PC is most of these solutions DON'T support any sort of L2 switching in an ASIC. Sure, they can do this in software bridging code but this is not optimal. Then it comes down to more purpose built , hardened hardware. I can try to buy some industrial PC cases, etc but it gets WAY more expensive in a hurry when you go that route. I've done it many times in the past but since I have to build something that might have to hand over to someone else one day, I think it would be best to be a little more mainstream.
Run this under Openwrt, or opensense or pfsense. You could even run miKrotiK OS
I DO like the concept of running OpenWRT as the availability of getting updated binaries should be a lot longer. The thing I worry about is the slow demise of OpenWRT like what we all saw with say DD-WRT, Tomatoe, etc. DD-WRT is still "kinda" around in the beta releases but it sure seems like it's on "failing life support". Mikrotik seems to have a strong feature set with more commercial support. I'm willing to pay for if it's worth it. It sure seems like Ubiquiti has been coming up with available routers, etc. too from their Wifi roots but no one here has advocated for them. That's ok as there has to be like 30+ router vendors out there. I just need one. :-)
you can have a small ssd in there and 4 gig of ram to be sure all is ok and this setup would be able to do all of your need and even more.
One thing I'm unclear on with Mikrotik is their different generations of hardware. I DO want to make sure I get the newer generation so, in theory, I get the longer supported OS support. Does anyone know if the CCR1009-7G-1C-1Splus is a new generation of hardware or is it older? Regarding buying a box that can run "The Dude" on an internal SSD, do Wifi, or other stuff on the side. That was something I was planning on running on a separate machine with say TICK, Zabbix, etc. Not sure but I seriously worry if something goes south in that system, can it harm the router. That's NOT acceptable in my book.
Finally, Pete M brought up the topic I was waiting for: security quality of code. Mikrotik has had some bad vulnerabilities recently that morphed into at least two different worms. I also know that no company is perfect. In these two examples, anyone intentionally exposing a device's admin interface to the raw Internet is seriously asking for it. That's REGARDLESS of who manufacture's the device. That won't happen in this installation but I would like to confirm that most people have been happy with Mikrotik or other proposed vendor's hardware and software otherwise.
I also know that some people use firewalls as their primary router. Juniper's SRX300 line is their new hardware gen but it costs $1000 which is exorbitant for us. I imagine similar products from Fortinet, Palo Alto, etc. are similarly priced though say a Cisco ASA5506 is cheaper. Yes, I can get used but then I won't get the support or updated code but I also then worry about some vendor's support for IPIP, etc. I'm really just needing a quality router.
--David KI6ZHD