I would buy whatever modem Comcast themselves would ordinarily supply.
Ideally your actual modem is just going to be a transparent gateway, feeding some router behind it where you would run your things like VPN, port-forwarding rules, etc.
The reason I say buy the same modem as Comcast's is because when (not if) your service goes down or suffers in some way Comcast is going to tell you everything is good and it must be your modem. To resolve this, you are probably going to drive to Comcast's office, rent their modem for a few days, plug it in and see what happens. If this actually fixes the issue, then you are going to wonder if there is some weird incompatibly now with your aftermarket modem, or not.
To save all the above, just use what Comcast uses, but don't pay them to rent a modem, buy yours outright. Everything should be DOCSIS 3.0, you are not (or, should not) be using any of the 'features' on the modem for wifi or port-forwarding, so for your purposes they are all equivalent.
For a router, it really depends on how complex you want to get. In your case I probably would (actually, have), setup a pfsense box for corporate stuff. I would also setup one of each of whatever you install for customers as well for test/demo networks (you are presumably getting a block of IP's from Comcast?). That way you can test/debug router configurations for customer networks, and give your techs a good sandbox.