On Tue, Dec 28, 2010 at 10:50 AM, Ryan Coleman <ryanjcole at me.com> wrote:
> I'm more concerned with getting the pieces working together - I'm not used to doing micro configurations... but I am not against trying.
>
> Thankfully the business has some money to throw at this, and since I do most of my development at the coffee house it's a fair write-off :)

I've worked extensively with pfSense as well as the ALIX board that
Erik linked to. I couldn't recommend this combination enough,
especially for a coffeeshop-type environment. As Brian mentioned, this
board will be able to easily handle anything that a cable internet or
DSL connection can throw at it. In testing, I've found that they'll
easily handle over and above 50 Mbit. This isn't completely applicable
to this environment, but one point of interest is that I've tested
their VPN (OpenVPN) throughput, and they'll do about 10Mbit full
duplex while encrypting. Not bad for a board that only draws 6 watts.
As you'd expect, the board is completely silent, has zero moving
parts. You're not going to need to worry about any parts failing,
which is very nice in this sort of environment. Honestly there's very
little need for more horsepower, and you'd only be complicating things
and creating avenues for future support issues.

As far as blocking P2P goes, usually the best idea is to start off
with removing the default "allow" rule on the LAN interface and then
start specifically allowing only traffic you want. TCP ports 80, 443
will obviously be the bare minimum. Above and beyond that, I'd open
587/tcp (smtp submit), 22/tcp (ssh), and probably an assortment of
ports to allow various VPN clients to function. For DNS services, you
can turn on dnsmasq on pfSense and then it will serve as a resolver
for all internal clients, so you do not need to open up 53/tcp and
53/udp.

Regarding wireless: while the ALIX boards can support a mini PCI
wireless card, I wouldn't recommend doing that. The reality is that
wireless support (from the hardware side) is a bit anemic and you'll
nearly always get a better wireless experience by using an off-board
wireless router (with all routing/DHCP/NAT stuff turned off).

One additional thing that may or may not be of use for your colleague
is that that this board has three physical network interfaces. One
will be used for WAN, one for LAN, leaving a third unused. If the
staff might have a need for their own separate network, you can set up
that third interface to be a "private" network, protected from the
wireless network the customers are using. If the shop has a managed
switch infrastructure (doubtful), you can also do this using 802.1q
VLAN tagging.

I hope this cleared up a few things for you. Feel free to send any
questions you may have!
-Erik
P.S. What coffee shop is this? It seems that most shops' internet
connections are very, very slow, and I'd love to patronize a shop that
has a decent connection. :)