On 1/16/2017 1:29 AM, Rob Kampen wrote: > On 16/01/17 21:54, John R Pierce wrote: >> On 1/16/2017 12:44 AM, Rob Kampen wrote: >>>> >>> Here's an idea - untested. >>> set up a network on the single nic - say 192.168.55.xx/24 >>> set up the dhcp to offer leases from a subset of this network - say >>> 192.168.55.128/28 >>> set up fixed leases based upon mac address from the remainder of the >>> network - i.e. outside the subset above - e.g. 192.168.55.1/28 >>> then route / firewall as required - i.e. trusted known mac address >>> hence IP address allowed vs unknown guest given an IP address we can >>> block or otherwise handle. >>> As indicated, this is not tested but if memory serves, dhcpd will >>> allow this kind of allocation. >> >> the untrusted wireless users will be able to access other LAN >> machines without going through the firewall. >> > surely that depends upon the subnet they operate on (i.e the subnet > mask in old vernacular) - the two I show above are mutually exclusive > but can both talk to the server. you can't mix subnets like that. it just won't work. the local broadcast address for the /24 isn't in either of your /28's, and what do the two /28's use for their default gateway ? -- john r pierce, recycling bits in santa cruz