1.) In order for your students on the private network to reach the webserver, and the webserver only, you'll need to have your firewall port forward http (TCP port 80 or whatever port your server is set to listen for http on) to just the IP address of the webserver (219.x.x.x). Your clients are still behind NAT, and the only access out of the firewall they would have is the access to the webserver.
One note: if your private network is one big network that includes students and administrators, be sure to segment it into the respective user groups. This will make configuring the firewall easier.
2.) Not sure on that one, but I'd imagine someone more familiar with BSD can tell you for sure. Check this link out, though.
http://www.openbsd.org/faq/pf/perf.html
3.) Your design is very good. As far as keeping your network secure from your users, I'd make certain that their local and network rights are just powerful enough to let them do what they need. If you are really concerned about hacking, maybe you should add an IDS like Snort to help you spot suspicious activity.