I can't say I had a similar setup, but in my old apartment I had several subnets where I could isolate connectivity in the way you describe, I had pretty good success with a zentyal box (VM) as a router, and a decent WiFi AP running dd-wrt, and the basic setup was to define the networks and corresponding vlans, trunk them to the AP, where a different SSID was configured for each network. From there, just connect the devices to the right AP and use zentyals firewall to limit access.