On Tue, Dec 28, 2010 at 10:50 AM, Ryan Coleman <ryanjcole at me.com> wrote: > I'm more concerned with getting the pieces working together - I'm not used to doing micro configurations... but I am not against trying. > > Thankfully the business has some money to throw at this, and since I do most of my development at the coffee house it's a fair write-off :) I've worked extensively with pfSense as well as the ALIX board that Erik linked to. I couldn't recommend this combination enough, especially for a coffeeshop-type environment. As Brian mentioned, this board will be able to easily handle anything that a cable internet or DSL connection can throw at it. In testing, I've found that they'll easily handle over and above 50 Mbit. This isn't completely applicable to this environment, but one point of interest is that I've tested their VPN (OpenVPN) throughput, and they'll do about 10Mbit full duplex while encrypting. Not bad for a board that only draws 6 watts. As you'd expect, the board is completely silent, has zero moving parts. You're not going to need to worry about any parts failing, which is very nice in this sort of environment. Honestly there's very little need for more horsepower, and you'd only be complicating things and creating avenues for future support issues. As far as blocking P2P goes, usually the best idea is to start off with removing the default "allow" rule on the LAN interface and then start specifically allowing only traffic you want. TCP ports 80, 443 will obviously be the bare minimum. Above and beyond that, I'd open 587/tcp (smtp submit), 22/tcp (ssh), and probably an assortment of ports to allow various VPN clients to function. For DNS services, you can turn on dnsmasq on pfSense and then it will serve as a resolver for all internal clients, so you do not need to open up 53/tcp and 53/udp. Regarding wireless: while the ALIX boards can support a mini PCI wireless card, I wouldn't recommend doing that. The reality is that wireless support (from the hardware side) is a bit anemic and you'll nearly always get a better wireless experience by using an off-board wireless router (with all routing/DHCP/NAT stuff turned off). One additional thing that may or may not be of use for your colleague is that that this board has three physical network interfaces. One will be used for WAN, one for LAN, leaving a third unused. If the staff might have a need for their own separate network, you can set up that third interface to be a "private" network, protected from the wireless network the customers are using. If the shop has a managed switch infrastructure (doubtful), you can also do this using 802.1q VLAN tagging. I hope this cleared up a few things for you. Feel free to send any questions you may have! -Erik P.S. What coffee shop is this? It seems that most shops' internet connections are very, very slow, and I'd love to patronize a shop that has a decent connection. :)