@fohdeesha Very interesting, thanks for the info! I did a double-take at the notion that wireless APs rely on the MAC address for authenticity... that's what the session key is for! But then I realised that the AP needs to be able to map IP/MAC address to session key for incoming packets, so it makes sense; we'd need one session per MAC address.

Welp, I guess it's cable-running time...

I do wonder, though: could the hypervisor act as the gateway for a subnet containing the guests, so that only the hypervisor is using the wireless connection? I don't know how challenging that would be to implement in XCP-ng, but I expect there'd be security implications, and one would still need a router that allows you to manually configure routes. Although I don't think I've ever come across a residential router/gateway that doesn't allow that, I haven't messed around with them, and I expect the ISP would just remotely reset custom routes after a restart, which would be a nuisance.