I would do away with the router that you have in middle of the picture and instead add one more NIC to the firewall and connect the server to that extra NIC and create a DMZ for the server that way. That would also remove the requirement of the server to act as a router or a bridge because only one of its NICs would be needed.
Actually, there is no a real hardware firewall. I set the server as the firewall, and router. I could control the traffic or do some investigation if I set my server as the router. Also, the server's services is directly exposed to the WAN, so it is not needed to use port forwarding to access the server from WAN.
If one of those switches is VLAN capable and has enough ports, I would get rid of both the router and right hand switch. Server is/would be your router/firewall. One VLAN for the laptops, a different VLAN for the WiFi.
I really appreciate that you were reading at the packet and frame layer to understand NAT.
I took the easy way out and use pfSense.
Like I mentioned before, you can find really inexpensive Atoms/Celerons that you can add a 4 port Intel Gigabit adapter.
That should give you 5 or 6 ports to use. One for WAN the rest your LAN.
I prefer dedicated firewall appliances with an X86 chip.
Perhaps look at PCEngines APU2. The whole rig costs under $150 for a dedicated headless appliance.
They sell it as a kit and they also will assemble and test for 5-10 bucks more. Really nice people to deal with.
Thank you for your suggestion. However, have you noticed the network printer? It is one of the issues I have to use a commercial BSD. The available driver for that network printer only supports Win and the commercial BSD. If I want to print something remotely (from WAN), I have to use that BSD (I use CLI to print something like screen output directly to remote printer).
PS: Actually, I have tested remote printing. I was at outside and able to access the printer via WAN.