In a past life I used the third port as a fail-over to a T1 connection that was brought in for my company's VOIP phone system. If the main DSL line ever went down, it would automatically cut over to the T1 connection. If you shop around for hardware that's marketed for this purpose, you'll find that it can get pretty spendy. Considering everything that ALIX board was (is) doing, it is a total bargain. -Erik On Tue, Dec 28, 2010 at 3:53 PM, Erik Anderson <erikerik at gmail.com> wrote: > On Tue, Dec 28, 2010 at 10:50 AM, Ryan Coleman <ryanjcole at me.com> wrote: >> I'm more concerned with getting the pieces working together - I'm not used to doing micro configurations... but I am not against trying. >> >> Thankfully the business has some money to throw at this, and since I do most of my development at the coffee house it's a fair write-off :) > > I've worked extensively with pfSense as well as the ALIX board that > Erik linked to. I couldn't recommend this combination enough, > especially for a coffeeshop-type environment. As Brian mentioned, this > board will be able to easily handle anything that a cable internet or > DSL connection can throw at it. In testing, I've found that they'll > easily handle over and above 50 Mbit. This isn't completely applicable > to this environment, but one point of interest is that I've tested > their VPN (OpenVPN) throughput, and they'll do about 10Mbit full > duplex while encrypting. Not bad for a board that only draws 6 watts. > As you'd expect, the board is completely silent, has zero moving > parts. You're not going to need to worry about any parts failing, > which is very nice in this sort of environment. Honestly there's very > little need for more horsepower, and you'd only be complicating things > and creating avenues for future support issues. > > As far as blocking P2P goes, usually the best idea is to start off > with removing the default "allow" rule on the LAN interface and then > start specifically allowing only traffic you want. TCP ports 80, 443 > will obviously be the bare minimum. Above and beyond that, I'd open > 587/tcp (smtp submit), 22/tcp (ssh), and probably an assortment of > ports to allow various VPN clients to function. For DNS services, you > can turn on dnsmasq on pfSense and then it will serve as a resolver > for all internal clients, so you do not need to open up 53/tcp and > 53/udp. > > Regarding wireless: while the ALIX boards can support a mini PCI > wireless card, I wouldn't recommend doing that. The reality is that > wireless support (from the hardware side) is a bit anemic and you'll > nearly always get a better wireless experience by using an off-board > wireless router (with all routing/DHCP/NAT stuff turned off). > > One additional thing that may or may not be of use for your colleague > is that that this board has three physical network interfaces. One > will be used for WAN, one for LAN, leaving a third unused. If the > staff might have a need for their own separate network, you can set up > that third interface to be a "private" network, protected from the > wireless network the customers are using. If the shop has a managed > switch infrastructure (doubtful), you can also do this using 802.1q > VLAN tagging. > > I hope this cleared up a few things for you. Feel free to send any > questions you may have! > -Erik > P.S. What coffee shop is this? It seems that most shops' internet > connections are very, very slow, and I'd love to patronize a shop that > has a decent connection. :) > > _______________________________________________ > TCLUG Mailing List - Minneapolis/St. Paul, Minnesota > tclug-list at mn-linux.org > http://mailman.mn-linux.org/mailman/listinfo/tclug-list > -- Erik K. Mitchell -- Web Developer erik.mitchell at gmail.com erik at ekmitchell.com http://ekmitchell.com/