Fine grained control over routing & filtering when tunneling a /24 public IP net

rcfa

I sort of ask this question in intervals, as pfSense and my understanding evolves…

What I have:

• Class-C (/24) direct assignment of pubic IPv4 address space
• a HE-tunnelbroker assignment of IPv6 address space
• a FiOS link to my site (but no ability/willingness on the side of Verizon to route my net), with a pfSense box as router/firewall
• a colocation site with an identical pfSense box, to which my IP address space is routed.

What I do/did:

• tunnel all of my IPv4 address space and traffic over a VPN (IPSec first, OpenVPN currently) to the Colo, and from there to the internet
• tunnel all of my IPv6 address space and traffic over the tunnelbroker tunnel to HE and from there to the internet

What I can't do due to seeming limitations of OpenVPN and IPSec:

• policy based routing that runs trivial traffic (web browsing, downloads) through NAT and directly to the internet over FiOS rather than through the tunnel-colo detour
• proper filtering/routing, because both OpenVPN tunnel as IPSec seem to grab some traffic before pf gets its paws on it, or sets up routing that has priority over other things. Maybe I'm just not doing things right
• make sure IPv6 is prioritized over IPv4, seems like due to initial ping times IPv4 gets the preference, but does pings are direct FiOS, not the tunnel, so they don't reflect the actual realities of how packets flow from the LAN

What I really would like:

• the functional equivalent of two PFsense units in series: one that connects to FiOS and then offers three physical links: WAN4, WAN6, and WAN-NAT, and then a second box that connects DMZ and LAN to these three WAN links through policy based routing. But in one box...
• preferably with data compression for what goes through the tunnel
  ...so what, short of two units in series, allows me to get the same effect?