I'm not sure if I will replace the PERC card with another card, it may have to wait until after Christmas. In the meantime I am looking for a small computer for Sophos. I do actually like running it on a separate piece of hardware just to keep the internet up and running when I'm tinkering around.
I was also into the idea of an AiO, but as soon as internet would die anytime the server was <tinkered with>..
I ended up getting another box for bare metal pfsense purposes. Quickly it got converted successfully to ESXi, with pfSense on top. With internet-critical components it is a huge relief and very comforting to have a separated machine, in particular on ESXi so that no worries occur with different "exported configs" (I don't trust those on pfsense half as much as I do on freenas - it might be something I've read a while ago, might not be valid. But it is the basis on how I ended up on ESXi).
At the moment I've structured a few layers of backup solutions to my pfSense.
I've saved a functioning pfsense VM that is basic without any extras going, loaded onto ESXi as a sort of "get me online NOW" backup to tinkering mishaps (during which you'd no longer be able to google :P). This one is not operational typically. It is not a "last known working configuration" but a rather downscaled version in terms of what I need to get my stuff up and working. A fail safe mode if you like.
On top of that safety net I've a running version with some configurations, firewall, port forwardings etc to suit the chosen functionality of the appliances on the network.
The last and most experimental of the VM's is still very much a work in progress. It is aimed to boast all sorts of fancy functionalities I can get out of pfSense (sort of).. including two way VPN's, squid etc..
I'm not there yet. I'm in no hurry...
Hope you'll find some ideas on an approach to structure the 'safety net' around your router solution software and ESXi. Let me hear your thoughts.
Cheers.