I don’t understand your concern.
There is no problem with running P2P on your block producer. There is no problem running everything using P2P mode as I do. There is also no problem running some P2P and some in legacy mode.
I also don’t see why you would need to change your firewall compared to what you were using when running everything in legacy mode. P2P mode can pierce firewalls more easily because your nodes can initiate outgoing connections from your internal network to external relays and then these connections can be upgraded to duplex if both ends are running P2P mode.
The main thing is that you don’t want any external entity being able to initiate a connection in to your block producer. Consequently, if you want to run P2P mode on your block producer, you only want it connecting with your own relays. These connections with your relays will get upgraded to duplex, but that isn’t a security concern because you want bilateral connections between your BP and your relays.
This post has copies of the topology files I use for my relays and my BP.