VLAN is rather simple enough to set up.

however my basic kununderum is this

TWIN/tipple VLAN for filter authenticated/unauthenticated . obviously you can use alias nic on nic

WLAN AP---->(VLAN) WLAN-NIC-I/O----->Firewall----> Internet with restrictions i/e QOS and abuser crackdown will cut them to 33.6kbs if they start getting out kazza or your tube but wont restrict a weary traveler who just needs his maps etc. or a quick email and basic wifi polite leaching , but will crack down if the user is a thieving neighbor etc.

the trafic shapping aspect simple enough thiers several ways to do so.

assumptions nat nic alias bridge xxx.xxx.xxx.WAN-IP-alias DMZ forward real Wlan nic . and separate virtual subnets 10.10.253.xxx untrusted trusted

again some what simple.

MY METHOD OF Authentication at present time can be done by the WLAN AP but leaves a bit desired.

Ideally in time pki/kerberos/ldap based server authentication in addition too, in time but will stick to basics on initial config

MAC authentication

type one full lan/wan

type two my style crimping will not chop my LAN PARTY BUDS or other frequent guests/clients but still no local network just dmz shadowing

type three traffic shaper / slapper . free but network protection via a low QOS queue vlan /vlan dmz shunt
(but some hosts I/E playstation XBOX etc will need basic authentication
can add proxie host in via ip manually )

Wireless open and free is now illegal in some locations recently Denmark. (oddly forcing security due to anti-terrorism legislation i/e users must be tracked on a fully open WLAN) if the USA enforced fines etc theyd have to teach most user about security and wifi but many devices tend to work none to well with most early AP or odd keys and even large wep keys will in time crumble or inter-brand inter opp can be wanting.

I have my own network and load-balancing issues , so i don't want unauthenticated guests becoming pests
(i/e i can be hospitable but keep guests isolated from my network is wanted, and keep em from dropping my network by overloiading it. )

anyhow part of the methodology i understand

on parts of a basic vlan but 3 teirs of authentication

authenticated user , authenticated guest (restricted privileged dmz priority 4 queue same as most local net apps) , unauthenticated guest (restricted accesses 10 priority QOS)

anyhow hard connected hosts to firewall wont be delt with in this manor..

its yes i dont mind if you use my wireless respectfully , no unless i trust you your not seeing my local network you just get an isolated dmz

it may be easier to add a WLAN to an isolated dmz with i/e one host. wan path

then add VLAN to to loacal network if authenticated by mac or etc and or acl.

just a few items are making me scratch my head on were to get enough information to author an advanced vlan config.

at the moment I'm roughly 1/2 thier on a rough how to idea to test but a few parts missing .