A couple of thoughts. I can go into more detail on any of these if you need me to.
-When it comes to wireless, there are two ways to plan. One is for coverage, the other is for capacity. Based on the number of devices(capacity) and space(coverage) that you describe, I believe that capacity is going to the be the bigger deciding factor. Remember that wireless is like using an old-school hub. Everyone hears everything. That also means that only one client can talk to one AP at a time. This isn't a limitation of a device (Cisco vs. Netgear) this is a limitation of the physical medium (airspace). Since you are programming for mobile devices, which will only support a single stream, you should plan on 1 dual band AP per 50 devices. If you choose to only support 2.4 or 5Ghz (airspace issues with neighbor offices for instance), then plan on 1 AP per 30 devices.
-The Cisco 887 only has a 100Mb connection. If you keep with your current plan, and do all of your L3 routing on the 887, it will become a bottleneck for anything that routes between your internal networks. Examples include: Local replication for Dropbox, Wireless synching between i-devices and itunes, Copying files from machine A to B, Time machine backups, etc. etc. This bottleneck occurs because anytime data must flow from one network to another (wlan to lan) it will need to be routed, and must go out, and then back in, from the same 100Mb interface. This might not be a big deal, but I wanted to mention it, just-in-case.
-The Wireless controllers are a good idea. The initial setup takes a little while longer, but from that point on, it becomes super easy to deploy more AP's or WLAN's. I don't know anything about them from personal experience, but I have heard good things about the Meraki AP's. It is an cloud-based controller solution, which Cisco recently bought. EDIT for clarity: I don't know anything about the Meraki solution. I know A LOT about the Cisco Wireless Controllers :-).
-How are you powering your AP's? Do you plan on using VOIP in the future? Consider both of these when considering whether or not to order a switch with PoE.
-Also, just noticed, you are planning on putting a firewall in-line after the router. That further complicates your plan to route between subnets there. I would plan on purchasing an L3 switch. That would simplify the deployment considerably.
Hope this helps. Good luck.
It seems that you are using NAT instead of routing between BOX1 and BOX2. BOX2 needs to know how to reach the network behind BOX1. You can either configure static routes, or you can run a routing protocol between the two routers.
Routers learn routes in three ways:
- Routers inherently know about directly connected networks
- Statically through manual configuration
- Dynamically through a routing protocol
Static route configuration does not scale, but it may not be a problem in such a small network. You should not use NAT inside your network, only on the interfaces to the public Internet. Inside your network, just use routing, but you will somehow need to let BOX1 know about any networks behind BOX2, and vice versa. You can configure static routes on each router to do that, but you will need to shut down the NAT on the point-to-point link.
Best Answer
Here are a few points regarding the presented configuration and assuming you have shared your complete VLAN footprint regarding the physical and virtual switching.
Any additional information would be helpful.
pfSense
Apple Airport Config
Network Modem attached to GE10
Primary questions regarding access revolve around routing. The Cisco SG-300 has a limited command set and is NOT a full IOS Cisco product. All of the routing can be done via the https interface of the device.