On 9/18/2017 10:03 AM, Nicolas Kovacs wrote: > This year the school's director wants to completely block Internet > access for all the student's personal devices. MAC addresses can easily be forged, IP addresses can easily be changed, none of that is secure if its on the same network segment The student's personal devices should be on a completely different 'guest' subnet, enforced by the wireless infrastructure, via use of a captive portal and/or WPA2-EAP authentication. Presumably most of the schools infrastructure is on ethernet? those ethernet connections should be kept physically secure so noone unauthorized can plug/unplug anything into the ethernet. THEN you'd use iptables to enforce access restrictions on this guest subnet. -- john r pierce, recycling bits in santa cruz