Wireless AP + NAT + firewall + SNTP + Fasttrack + DNS + uPnP + PPTP server, on 50Mbps connection, no problems what so ever.
I think you need to stop making theories and actual try the thing.
maybe a little less than that for vpn performance
i have tested haplite on a ipsec site to site AES-128cbc SHA1 gets a maximum of 29mbit/s with 100% cpu usage
a heavy nat + firewall + mangle + queue tree gets a maximum of 45mbit/s with 100% cpu usage
off course a simpler configuration moves 100mbit/s without problem