Don't take it as definitive answer, but it may not be the best choice.
I got hEX S last week as my new home router. It's nice little device. And there's really not many devices that have the options I want (SFP, IPSec acceleration, USB), only this one, RB3011 and then it's all overkill for home CCRs. The idea was to have public vlan (untagged at sfp1 and ether1, tagged at ether2-5), and other three vlans (for start all tagged at ether2-5, with possible future change to dedicate some untagged ports to some vlans). I tried the new bridge vlan filtering and it was nice, I really like the way how this configuration is done.
Problem is, routing between public vlan and another vlan went barely over 200Mbit/s. Removing public vlan and moving the config to single interface (either sfp1 or ether1) got me over 400Mbit/s, which is better, but still not great. I don't remember exactly (I got a little lost in all the configs I tried), but I think that without vlans it was close to full gigabit, so the bridge vlan filtering seems to be real performance killer here. Additionally, when vlan is involved, it seems that fasttrack doesn't work either (I don't normally use it at all, it was an attempt to speed things up).
I have yet to try if something can be done with the switch menu, aka the old unintuitive way (at least for me), but I'm not hopeful, half of the options are refused with "not supported". All in all, I'm sure it will be good enough for me in the end, but I have to admit that I'm a little bit disappointed, I thought that it would be more performant. Maybe there's still a chance that I did some stupid mistake, but I don't see it, I kept everything very simple.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.