Safely adding insecure devices to my home network

Yes, your solution is also ok but will increase one switching hop, plus config overhead, you can achieve this with one router by doing the following:

• Configure two VLANs, connect trusted hosts to one VLAN and untrusted to another.
• Configure iptables to not allow trusted to non trusted traffic(vice versa).

Hope this helps!

It's completely possible, but I'd like to address a few things first.

My current solution is to plug my cable modem into a switch and connect two wireless routers to the switch. My computers connect to the first router, everything else connects to the second router.

It's interesting both routers have internet access when your cable modem appears to be just a modem. Does your ISP do NAT? If not, I'd recommend taking the switch out (is it really a switch or is the switch capable of NAT?), and place one of your DD-WRT routers as the gateway. Your current setup as it is (without knowing to which port the routers were wired to), may either have IP address conflicts, or may occasionally experience random and sporiadic loss of connectivity on one or the other network.

Is it possible to segregate Wi-Fi traffic into multiple VLANs on a single access point?

Yes, but it'll take a bit of config work and some testing. I use a similar setup myself for segregating a guest network. The method I'll describe below doesn't involve VLANs.

---

DD-WRT (among others) support creating multiple SSIDs on the same AP. The only thing needed to do is to create another bridge, assign it to a different subnet, then firewall it off the rest of the main network.

It's been a while since I last did it this way but it should go somewhere along like this (be prepared to lose connectivity):

1. Open an access point's config page
2. Go to Wireless => Basic Settings
3. Under Virtual Interfaces click Add[^virtif]
4. Give your new IoT SSID a name and leave Network Configuration to Bridged, enable AP Isolation as you wish
5. Go to tab Wireless Security, set your passwords, and set Security Mode to nothing less than WPA2-Personal-AES if possible[^nDS]
6. Go to tab Setup => Networking
7. Under Bridging, click Add
8. Give your bridge an arbitrary name[^brname], maybe br1?
9. Give your bridge an IP address that is not on the same subnet as your main network[^ipaddr]
10. (You may have to click Save then Apply Settings to get this to show up) Under Assign to Bridge, click Add, then assign br1 to Interface wl.01 or what its interface name was given[^virtif], save and apply

11. Under Multiple DHCP server, click Add and assign it to br1

12. Go to Administration => Commands and paste these (you might have to adjust the interface names)[^note2]
    iptables -t nat -I POSTROUTING -o `get_wanface` -j MASQUERADE
iptables -I FORWARD -i br1 -m state --state NEW,RELATED -j ACCEPT
iptables -I FORWARD -i br1 -o br0 -j REJECT
    And click Save Firewall

13. You should be all set, I think

For more details, you can take a look at http://www.alexlaird.com/2013/03/dd-wrt-guest-wireless/

A caveat for this is that this setup is effective only for the gateway router/AP. If you want the same setup to work for the other router, you'll have to use VLANs. The setup is similar, but it's a bit more involved. The difference here is that you'll have to configure and bridge a new VLAN to the IoT SSID and maybe do some routing rules.

[^virtif]: The first is usually the physical interface and often labeled as wl0. Your virtual interfaces (up to three if I'm not mistaken) will be labelled as wl0.1, wl0.2, and so on.

[^brname]: This will be the interface name DD-WRT will give to the bridge interface.

[^ipaddr]: Say your main network is on 172.16.1.0/24, give br1 an address of 172.16.2.0/24.

[^nDS]: If you have a Nintendo DS, you'll have to use WEP. Alternatively, you could create another SSID just for the NDS and have it also bridged to br1 for convenience.

[^note1]: At this point after applying settings, anything that connects to the IoT SSID will now be assigned to a different subnet. However, the two subnets can still communicate with each other.

[^note2]: This bit might need some work.

Is this enough to completely segregate my computers from everything else?

Assuming your connection from router 1 to the Switch is using the WAN port of the router and you are not sharing WAN and LAN in OpenWRT (meaning you did not change the default settings and did the cabling as you would when connected directly to the modem), you are mostly fine.

Of course your devices on router 2 could send traffic to anybody, which can be a problem in itself (usage statistics, camera images, sound over microphones, information about WLAN, GPS receivers etc. depending on devices).

Also, is there a simpler solution using a single router that would effectively do the same thing? I have the following routers, both with DD-WRT:

You can configure your ports separately and route the bad traffic separately from the good traffic. Your keyword would be DMZ, there are plenty of tutorials available.

If you want to have more complexity, you can also enable VLANs, this way you can put additional VLAN-aware devices behind the router and connect both types of devices to them, essentially making your whole home as if every device was plugged in directly into a port of one of both routers, even if you have only a single router and 5 switches behind it daisy-chained... but do this only if you must, as the possibility for error is substantial and the benefit depends on your cabling (almost none when using star topology, great when having to use ring topology).