following on from
http://www.ex-parrot.com/pete/upside-down-ternet.html

I was having a little think about how to make this concept more secure.

its easy enough to separate known and unknown clients out via MAC address.
but that system is easier to break than it is to set up

either, sniff out a mac address already connected to the system, and spoof that address.
or, more simply, set a static IP on your wifi device, and avoid the redirection completely.

so, is anyone aware of a relatively straight forward setup that would allow me to identify clients on my network without relying on MAC address, would more forcefully separate out known and unknown hosts (vlan??).
As well as doing so without alerting them to the fact, and without requiring known hosts to do anything special, or install software. Or requiring any more hardware than I have already.

(hardware = a debian box with 2 NIC's acting as a gateway between all internal network, and the billion router which handles the outside world not getting in, and a WAP attached to the internal side of the network. also somewhere I have a wifi card that I could attach to the server to replace the AP)

I assume some sort of authentication mechanism is required, but I dont know much more past that.

any ideas?

well fundamentally 802.1x is really gonna be the way to do what you want, being able to place machines into certain vlans based on their authentication to the network. This functionality is dependent on the switch you use though, so can be costly to implement. It is the "right way" to do it though.

Thanks for the reply.
I suspected that would be the case, unfortunate, my hardware doesnt support that, and as this is a purely academic pursuit its not worth spending on. ah well.
I shall keep searching, perhaps I can find a "wrong" way to do it :P