Iptables – Block DHCP traffic for one device/mac address

Okay, I figured it out - I didn't untag the default vlan, which is causing traffic from default vlan to bleed into my kickstart vlan.

That's been fixed. DHCP assignments do not work anymore on those ports, but least I now know the problem. :)

1. Create a separate subnet for wireless on your router/L3 switch and set up the necessary routes to/from it.

2. Don't use the wireless router as a router, use in L2 bridged mode. This will make it into an AP. You don't want to route with that device, let your core L3 switch/router do the routing.

3. Put a DHCP forwarder entry (IP Helper in Cisco speak) that points at your DHCP server on that router/L3 switch.

4. Create the scope for the 10.10.20.0/24 subnet on the DHCP server.

If you have a flat L2 network structure internally, you won't be able to do this. You'll have to create a separate subnet for wireless. It's pretty common, though, so don't think it's unusual to do.

In the event that you have all SOHO gear in your office and don't have a real capable router that can handle vlans/multiple subnets/ip helpers/etc, just make your 10.10.10.0/24 into a /23 or /22 and broaden your scope. It would all be on the same broadcast domain, which is less than idea, but perfectly doable at that size. You don't really need to start separating traffic until you have a packed /21, in my experience.