P
I can answer some of your questions but not all of them. I'll give you my experience and suggestions for the areas that I know.
Regarding the build, I would recommend something newer than the N3700 series. I'm currently running an Asrock J3455 based system now with a PicoPSU, and it's pulling 11 watts on 110v power here in the US.
The J3455 board was about $65 from Newegg. The PicoPSU + power brick was $55. If you have some DDR3 memory laying around and an extra case, that is all you need to get started. If you need to purchase those items, add them to the cost.
For a NIC, Intel based is highly recommended. I have also had good luck with Broadcom NICs after some tweaking however, Intel NICs can be found very affordably on ebay from a working server pull. When you order the NIC, make sure you're getting one from a server recycling vendor that is selling an actual OEM product, do not order from China or you will very likely get a fake Intel NIC. Some good options are the HP NC365T, this is the same NIC as an Intel Quad I340. It uses the latest Intel IGB driver on pfsense and is very easy to tune. I have one of these NICs and it is rock solid stable, and quad port gives you room to grow.
I have also used HP NC382T NICs (dual port Broadcom 5709) and HP NC360T NICs (dual port Intel 82571). Both of these also work well, they aren't quite as new as the I340 and can be found cheaply, the broadcom NIC regularly sells for under $10. These are good budget options and both of them are very stable.
If going with a J3455 setup, PCIe slots are limited, and there is usually only one full bandwidth slot for an x2 or x4 PCIe card. I would recommend you buy a quad port card on the J3455 setup so that you can have a single card in the fastest PCI slot and maximize your bandwidth.
IMHO, I don't like to use onboard server NICs because of Intel Manage Engine issues (security hijack point). I much prefer a separate physical NIC to assign to WAN port and LAN ports to. Because of this, using a J3455 wasn't an issue for me because it had low quality Realtek NIC onboard, and I just disabled it and used my own PCIe NIC of choice.
People have issues witht he J3455 because FreeBSD had a regression in 11.1 release, which is what pfsense 2.4.3 is based on. If you run the development release (2.4.4.a), it will install natively in UEFI without any issues, that's how I run on my J3455 setup. Traffic shaping is now easy on 2.4.4.a and fq_codel is built in to the GUI on the latest pfsense builds in 2.4.4.a.
I don't used pfblocker, snort, or VPN on the firewall, so I can't give you direct feedback on those items. If you're on a budget, the J3455 is a very good setup, especially if you can re-use some older components (like an old ATX case) and just stick it under the stairs. You didn't mention your budget requirements so I'm not sure what targets you're trying to hit.
