CommScope RUCKUS Community Forums

... which is a very basic solution. If a client/student is so intelligent to set his DNS server to e.g. 8.8.8.8 (google public dns) your restriction is circumvented. And my students are a lot smarter than that :). Btw. every proxy application will still work.

Why would someone have the money for a ZD but not a firewall?

Yes it is a very basic solution, but it is free and it works while the access control of ruckus does not work.
In our school we have wired and wireless devices for which you need administrator privileges in order to change network setting (and this should be the standard).
Your point is right for mobile devices owned by the students, however they still need to set static IP and DNS. I bet that less than 20% of them are able to do this.
If you know any other free solution, please let me know.

My free-favorite: pfSense (www.pfSense.org) with suricata (for App-Filtering) and squid/Dansguardian for WebFiltering as plugins (yes, this is not easy to configure).

You can also look at: https://www.untangle.com/shop/NG-Firewall-Free/ or
https://www.sophos.com/en-us/products/free-tools/sophos-utm-home-edition.aspx (it is called home edition, but I think there is no legal restriction for corporate use)
Maybe these also get the job done.

But like Tuananh said: we're talking about 300-4000€/$ (depending on size). In my opinion a good (e.g. Cisco, Fortinet, PaloAlto) firewall is more importand than an additional AP for greater WiFi coverage. 

"I bet that less than 20% of them are able to do this" You are correct, but those students will tell the other 80% for sure. And everybody can google: "circumvent firewall" and will get a proxy as a suggestion. Therefore those basic countermeasures are maybe suited for primary but certainly not for secondary education!