Here is a little something that I've done... I've played around a bit.. but not too much.
(note: encryption was not enabled on this network at the time...so I don't know if you can grab valid MAC addresses through sniffing encrypted traffic)

If the client has MAC filtering enabled... sniff for a while and get some valid MAC addresses.

When that specific MAC address isn't in use, then spoof that MAC address and use it as your own.

You will then get an IP on the network. Either through DHCP or by statically assigning your IP.

You can then get access to the router... because you will be on the internal wlan.
Since the cheap routers (linksys/dlink/etc) don't allow you to put ACLs on who can access the router.

Find out what the user id for that model is (should show you model when you go to login... at least the ones I've messed with.)

Then fire up something like brutus and put in the userid that you know and get a good password list. Start brute forcing/password guessing the router admin page.

Set the parameters in brutus (or other similar script kiddy tool) to go a bit slower and to retry after three logins (or appropriate logins... linksys like to use 3 I believe... so does d-link) since it'll block your attemts. the program can disconnect and reconnect over and over until it guesses the right password.

I've had success doing this on my buddy's wlan.

Then I was able to add my NIC to the MAC filters or whatever else I wanted... basically if you own the router then you can do what you like on the network as far as accessing it.

After that we enabled the encryption and it was time to go home. I'd like to get back over there and play some more... actually I'd like to get myself one to mess about with.