Cisco Aironet 350 on subnet

I've got a FreeBSD server as my home gateway/firewall, and have the Aironet WAP plugged into the internal LAN switch. My goal is to have all WAP clients on a different subnet (A.B.111.0) from the local LAN (A.B.1.0).

My first attempt was to create an alias IP on the server's LAN interface, add rules to dhcpd.conf to handle the new subnet, then configure the WAP to obtain it's own IP from the new subnet. Well the WAP gets the right IP and router info, but WAP clients are still getting assigned IPs from the regular LAN subnet which is not what I want.

I have a feeling this is because the WAP is acting as a passthru device as all requests show up as 0.0.0.0.bootpc > 255.255.255.255.bootps

It makes logical sense that if I could have the WAP change the requests to 0.0.0.0.bootpc > A.B.111.255.bootps then that might do the trick, but I have a feeling that's not possible or even valid.

Can I accomplish my goal on a single switch (cheap Netgear) without resorting to hard coded MAC addresses in dhcpd?

Ok well I was able to get this working. I was playing with the VLAN settings, and not being too familiar just went ahead and configured one on the Aironet, and made it native, and that appears to force WAP to route it's requests according to it's current network configuration. I already had it configured on the newsubnet so it worked like a charm.

The only issue I had was the WAP clients listed the DHCP server as being on the wrong subnet. I dug through the dhcpd options and found this one that did the trick:

server-identifier A.B.111.1;

So now I have all my WAP clients on the new subnet, and have added rules to my IPFilter config to disallow any traffic except through the gateway so they are isolated. How isolated are they really though? Is there anything else I can do to lock things down, without too much hastle?