On 16/01/17 21:54, John R Pierce wrote: > On 1/16/2017 12:44 AM, Rob Kampen wrote: >>> >> Here's an idea - untested. >> set up a network on the single nic - say 192.168.55.xx/24 >> set up the dhcp to offer leases from a subset of this network - say >> 192.168.55.128/28 >> set up fixed leases based upon mac address from the remainder of the >> network - i.e. outside the subset above - e.g. 192.168.55.1/28 >> then route / firewall as required - i.e. trusted known mac address >> hence IP address allowed vs unknown guest given an IP address we can >> block or otherwise handle. >> As indicated, this is not tested but if memory serves, dhcpd will >> allow this kind of allocation. > > the untrusted wireless users will be able to access other LAN machines > without going through the firewall. > surely that depends upon the subnet they operate on (i.e the subnet mask in old vernacular) - the two I show above are mutually exclusive but can both talk to the server.