Comment Already doing this (Score 1) 332
I'm on an IT committee at my church as well. We've set up an old Dell Dimension 2400 with pfSense 2.0. 3 NICs (1 on-board, 2 PCI) and set up two VLANs, one VLAN being their office LAN and the other being a Captive Portal enabled VLAN with three WRT54G WAPs loaded with Tomato.
Firewall rules were created in pfSense to prevent wireless users from accessing the office LAN and wireless segregation was enabled on the access points to prevent chatter between wireless clients (prevents infected clients from attacking potentially vulnerable clients on the same network).
pfSense has a voucher system that allows you to create several rolls of time-based vouchers. You can either give the teachers a roll of active vouchers that are only good for a certain length of time, (say, the length of the Sunday school class) or you can set pfSense scheduling to restrict all access to the Captive Portal off-hours.
You can also add MAC address exceptions to the Captive Portal instead, (not really completely secure, but keeps your average users out) limit the number of associated users and bandwidth per associated client to prevent one user from monopolizing the entire connection.