The design you showed would work, but I always try to remember KISS - Keep It Simple, Steve! ;D
There's no real need for segmenting your LAN into VLANs. VLANs should be used to segment network traffic. If you have a small office, with ten or fewer PCs and a server or two, then you don't need to use VLANs. VOIP phones would be another matter but I don't see any of those on your drawing.
Instead of what you drew, I would connect the firewall, all the PCs, the server and the wireless configuration manager (if it is NOT also a WAP) into the Cisco. Don't bother to set up VLANs, just let everything connect on the default VLAN (NOTE: if your office is bigger than it appears from your drawing, there is an arguement to be made about setting up a VLAN and letting the default VLAN alone, unconfigured, so that no one can connect a device to your network without you configuring the port, but if this is a small office and you control access to the patch panel/switch, that is not an issue). This has the advantage that you don't have to configure anything and if the switch loses its configuration you don't have to reload from a backup.
The wireless access points (and by extension, the devices that connect to them) I would put in an umanaged switch that connects back to an OPT interface on the pfSense firewall that serves as your DMZ. This protects your network a little more than connecting your wireless devices directly to your internal LAN.
Run DHCP from the firewall. Everything routes out through there and it routes everything not directly connected to the Internet.
Here is a diagram of how I would do it:
[image: Drawing1.jpg]
[image: Drawing1.jpg_thumb]
