First of all, sorry I came off funny to begin with. Most times I don't get my intent across in written words..... Oh well.... As I stick around I may become better known....
Originally I thought it may be easy since this had to be the backend for every wireless hotspot with billing. I.E. a gateway with a hidden network that authenticates and then allows access to the Internet. (Thus, something similar to what I wanted to do had already been implemented in thousands of places across the nation.)
However, the more I think about this the less true I believe it is. I now assume that the backend of a pay hotspot is authenticated over the Internet. Would this be a correct assumption?
As for the separate sub-net, that's exactly what I was looking for. I was completely ignorant as to the separate sub-nets not being able to see one another. I also picked up lost of other tidbits, like setting the wireless channels as far apart as possible in channel numbers. (Actually, I plan on putting them physically apart, too).
So, I should be able to get a wireless router (with some added functionality above NAT, I.E. port blocking and a password) and set it up on another sub-net. Obviously, it has to have good password protection or a hard-set dipswitch to prevent changes. The users will be on the configurable side. Anyone know of a wireless router with some sort of hard lockout?
As for my provider seeing the additional traffic, I don't know if this is a big deal (I'll check my contract, though). If the users are doing nothing illegal (why I want to block everything except web and ftp), then all they will see is an increase in traffic. This area is not covered with any pay hotspot, so I'm not stealing business. All the traffic will come out on my one public address, since the firewall has NAT functionality. And I read one time that most users don't even turn WEP on in their gear. The users leave the stuff they buy on defaults (no WEP). Since the ISP already treats me like a moron when they have problem, why not become one and 'accidentally' leave my wireless access point unprotected?