Creating a 2nd network for kids

Hi all looking for a bit of advice im looking at implementing Open DNS Parental controls to my home network but i only want this applied to the kids devices. Im going to need to create a 2nd network in my house at the moment most of the kids devices are wifi but i want to be able to add ethernet devices at a later date my current network setup is attached

Network Layout

I need for both the WIFI APS to support multi SSID's and have the option of setting up a specific DNS for the SSID. I also want to be able to at some have ethernet devices that also have the parental controls any advise would be much appreciated

Should also point out i have a NAS connected to switch 3 this will need to be on both networks

Does the NAS support two network interfaces? At physical or logical level.

No the NAS only has 1 ethernet connection i will eventually change the NAS as its getting old and slow but havent got the funds or the time to do it properly at the moment as i will be replacing it with a home server.

I have done this on my network but it's pretty advanced Linux based iptables rules that have made this possible; I am not sure what off-the-self router could offer this feature.

Basically, on a per MAC address basis, I have setup my Linux router to catch all port 53 traffic and redirect it to OpenDNS name servers. Actually, I've gone further than that and can, on a per device (MAC address) level, push DNS queries for a device to any DNS servers I wish (Google DNS, OpenDNS, etc). So I can have a laptop using OpenDNS, and a desktop machine using Google DNS (for example).

I'm also using an Edimax wireless access point that allows multiple SSIDs, to offer a "guest" network. For this SSID, it has been configured to pass the traffic back onto the ethernet segment with a VLAN tag of 10. The Linux router ethernet interface has then been configured to service traffic with this same VLAN tag, with a default gateway IP, offering DHCP services etc with the added feature of capturing ALL DNS requests (regardless of MAC address) and forwarding them to OpenDNS. This has the added advantage of, no matter what DNS servers a client may attempt to query, their requests are caught and pushed to OpenDNS regardless - there is no way around it.

Given that it is pretty easy for devices to change MAC address, the VLAN tagging option might be a better approach for your requirements, only if the NAS supports that and can be configured to serve on both normal and VLAN tagged networks - but I find it highly unlikely it will support that, so all in all, your requirements are possible to implement but it could be tricky to adapt all devices to be setup and configured in a way which makes this possible.