linux

How is subscriber Internet via Wi-Fi usually implemented?

To make it clearer, I will first describe what I am trying to achieve, and then I will specify the questions.
There are subscribers who connect to the access point. Somewhere, mac-addresses are predefined, and using them the subscriber rushes to the VLAN defined for him. Separate VLANs are needed to differentiate tariff rates.
Subscribers are divided into groups (families), each family has its own tariff and speed limit.
How it is implemented now:
Debian on which IPoE sessions are raised on virtual interfaces.
Each subscriber has its own VLAN of the VLAN2XXX, VLAN2YYY, VLAN2ZZZ types, and each such interface receives a dynamic IP from BRAS and, accordingly, a speed limit corresponding to the tariff.
Next, paired VLANs are created on Debian, which correspond to subscribers: VLANXXX, VLANYYY, VLANZZZ.
Forwarding and routing are configured between each pair of VLAN2XXX-VLANXXX, VLAN2YYY-VLANYYY, VLAN2ZZZ-VLANZZZ.
Pair interfaces VLANXXX-VLAN2XXX, etc. are needed only so that VLAN2XXX via DHCP via IPoE from BRAS receives Internet at a certain rate, and already on the paired VLANXXX interface a separate DHCP server with a separate pool of addresses is raised and this speed is distributed to several addresses in the family (not to one Wi-Fi device ).
All paired VLANXXX, VLANYYY, VLANZZZ are packed using QinQ into one VLAN, go out of the Debian network interface, enter the network, go to the terminal switch in the building, where they are deployed on the switch port into separate VLANXXX, VLANYYY, VLANZZZ and using MAC- VLAN (which is manually hammered for each poppy) there is an assignment to certain poppies certain VLAN. Poppies on this switch come from a nearby access point (the most common), in which DHCP is disabled.
There is also a separate guest VLAN, where poppies that are not registered in the MAC-VLAN table fall. They are thrown into a separate VLAN where a page for authorization and a proposal for registration pops up.
That is, there are a lot of families with their own tariffs, their devices are grouped into VLANs, and each such family VLAN has its own tariff.
I do not like this scheme somehow, even though it works.
Question 1: Maybe someone knows how to more delicately solve such a problem? Maybe there are such not very expensive access points that can both MAC-BASED-VLAN, and at the same time deploy QinQ?
Question 2: Can this be implemented in a very simple way, and I reinvent the wheel?
Question 3: Can anyone work with such things and tell you ready-made solutions?
If at the end of reading this reading you ask - why is this necessary? I will answer - well, damn it, that's it :)