(First read: I haven’t done testing)

Spoof the MAC of the gateway to then attack higher layers. Nice.

Looks like useful way to also possibly become the authoritative DHCP server where you can then configure the normal DHCP settings: DNS, IP addresses, next hop, and of course DHCP Option 121 routes.

That of course assuming there’s not some other thing that would prevent it.

Might be time to dust off this library from the old TunnelVision days:
https://github.com/superit23/arcanetrickster