You need more careful firewall rules on any device with IP forwarding enabled, and it can be hard to remember exactly when forwarding, NATint, etc. happen with relation to the incoming/outgoing firewall rules.

E.g. is your pf-based load balancer running its rules before or after the global filtering rules? And if they're running first are they SNATing incoming traffic so the LAN rules allow the traffic through or does it need explicit exceptions for external IPs to traverse to a LAN endpoint?

If you're comfortable with more advanced networking then it's fine to run it all on one box. If you just want to open ports for internal LAN services then that is a very canned and well-supported feature for a gateway firewall.

E.g. see AirSnitch which resulted in large part from mixing too many complex networking rules in single devices.