FreeBSD machine instead of wireless hotspot device

[Angelin Lalev]

I have wireless hotspot device (Handlink WG-601) which I need to replace with FreeBSD machine. 
The device has following functionality I need to replicate: 

1. It has dhcp server (that's easy) 
2. It makes NAT between it's "internal" interfaces and "wan" interface (easy too, but look at 3). 
3. It actually responds on every ARP request coming on it's internal interfaces. That allows it to act 
as router for machines that instead of using dhcp are configured with wrong static IP addresses. 
4. It can use RADIUS for authentication of the users. 
Actually, non-authenticated users are given IP address (no WPA, TKIP, etc) and when they first 
try to load a web page are redirected to authentication web-page. Then their username and password 
are checked against RADIUS database and only then they are allowed to connect to the outer network. 

Two more things: 

1. It was part of a larger wireless hotspot service, sponsored from the government and implemented by outer organization, so buying another with my organization's money is out of the question. 
2. I'm aware of the issues with security but again I cannot modify the policy there.

I'll be very thankful for any ideas.