Well, good news. The FSM7328S works great. The config needs a few tweaks vs the GSM7312, but it overall it's the same.
The ports are numbered 1/0/1 - 1/0/24 for the 10/100 ports, and 1/0/25 - 1/0/28 for the gig ports.
Right off the bat, this switch is meant for stacking with other compatible Netgear switches. As best I can tell, there's no way to disable this. Thus, ports 1/0/27 and 1/0/28 are hard coded stack ports and don't seem to be available for general purpose use. They took the config, but I wasn't able to pass traffic. It cleared up when I moved the pfSense box to 1/0/25 and the Google ONT to 1/0/26. I was able to get ~930x930 Mbit when I tested directly from the switch.
This is basically the box-stock config, with the bare minimum to get it working on a Google connection. The config is attached. You'll be able to telnet or access the web UI at 192.168.1.4 from any of the 10/100 ports.
The other nice thing about this vs the GSM73xx box is that it's smaller, and fanless. For $35 shipped, I couldn't be happier.
Now on to the not so good news.
I'm still seeing some IPTV issues. It was bad enough that my wife gave up on watching TV while she worked from home today. I may have found a partial fix though.
If you go into System > Advanced and then go to the System Tunables tab, there's an option called net.inet.ip.fastforwarding. Edit that value, and change it from 'default' to '1'. Then reboot your box. I noticed a nice 10% increase in my speed tests, though the tests were hardly scientific. I've been watching a movie for the last couple hours, and the video has been damn near perfect the entire time. Be warned though. I've read some posts that say this setting can break IPSEC VPN clients. That may have just been for older versions though. The information is conflicting in some places.
I've read about people successfully using far less powerful pfSense setups on other IPTV systems, so all I can figure is that Google has very tight timing tolerances that the pfSense IGMP proxy or firewall code struggles to meet.
One last thing....IPv6 DHCP. I tried to get an IPv6 address when I tested directly from the Netgear switch. I wasn't able to. Technically the switch should just pass any ethernet frames, regardless of whether they've got v4 or v6 payloads. But clearly something is missing. I don't know enough about IPv6 yet to really make much headway on it.
I've got access to a few other switches, so I'll see if I can't line up some more tests for the IPv6 stuff.