1. Why do you need encryption in such an office?
2. If as pure access points, it’s better not ac2 but cAP ac
3. I think in your case RB3011UiAS-RM would be enough for your head, and the rest on L2 switches
4. You need to clearly define what you want to see on the network and based on this already make a choice with equipment and software.

If you need gigabit in LAN, then you can put MikroTik CRS125-24G-1S-2HnD-IN (14k pcs.) Mikrotik CSS326-24G-2S + RM (9k pcs.) And two access points for wifi in the corridor under the ceiling like MikroTik hAP AC lite RB952Ui-5ac2nD (3.3k pcs). CR125 is not the strongest processor, but if ipsec is used with fasttrack, then there will be no problems. Well, it’s desirable in more detail whether vlan or vpn will rise in the office, the garbage file and backups should be through sfp or just a couple of gigabit holes on the host in the harness.

the router is completely normal. As for encryption, I did not understand - what and where to encrypt? Where did pfSense come from - after all, initially they just made a network? Or do you need another proxy?
The solution "full-fledged wheelbarrow with a router" has both advantages and disadvantages
Advantages:
- extensibility
- a lot of functionality is hung in one touch
- a large disk for logs / statistics is not a problem
- maintainability (replaced the node and works again)
Disadvantages:
- monitor and keyboard are required
- a person of sufficient qualification is required to lift it in case of a fall, and it is required locally, since there will be no connection.
Therefore, I usually put a Mikrotik as a router, and behind it a proxy and everything you need - it’s quite difficult to drop the Mikrotik.

At the moment, the network in the office works on:
1 Gbps optics, included in the D-Link DMC1910R media converter
20 Mbps optics, included in the Foxgate media converter.
A patch cord from one of the media converters is included in the Asus RT-N12 VP.
SCS has been laid throughout all the premises, patch panels are embroidered, patch cords are connected to three switches:
D-Link 1226G
D-Link DES 1024A
D-Link DES 1024A
The office has 50 workstations, on Ubuntu, almost all employees have mobile devices that need wi-fi.
There are several servers hosted by Proxmox, a domain controller, a terminal server for applications that only run on Windows.
In general, I would like to make the network more secure, implement various things: hotspot, seamless wifi, separate departments and servers into vlan, and protect the network from viruses and ddos ​​to the maximum.
Why encryption - I just want to implement such a thing)
In addition, the company is in the lead in transportation in my city, I don’t want there to be problems with security, data leakage.
Mikrotiks have not been bought yet, I just plan to build a network from scratch almost.
Change three pieces. I don’t want old switches now, a separate budget will be allocated for this.
I want to spend $500 most correctly from the point of view of network building and security - on a router, wifi point, gateway, or any combination of these.

Before taking Mikrotik in particular RB1100AHx4, look at the diagram of the piece of iron
, the link speed between eth 1-5 <-> 6-10 is only 2.5 GB https://i.mt.lv/cdn/rb_files/RB1100AHx4v4-17081614...
Makes sense see CCR1009-7G-1C-PC there is a normal switching matrix.
Access points as an option cAP-2nD
switches - DES 1024A in the trash
, this DES-1226G can be left
replaced with something DES-1210-52 / ME - quite good, if you need a swarm then DGS-1210-52MP / ME

IPsec on devices without hardware encryption is very slow, about 20 Mbps and 100% load. If you take modems, then always with hardware encryption, your models support this. Here is a complete list of hardware with hardware encryption: wiki.mikrotik.com

FOR 50 PCs, Mikrotiks have rather weak processors pfSense on the computer will be much more productive