I believe all of this is possible (even multiple SSIDs with one router) with OpenWRT or DD-WRT on certain hardware, but I never got it working right. I just ended up using an two Linksys routers (one with open wifi, one encrypted) and pfSense as a router. You can even do this with just pfSense and couple wireless cards. Private wifi bridges to the local network, public is on an isolated subnet. pfSense traffic shaping keeps users in check. I have a QOS class for "public" traffic which is limited to a couple mbit/sec down and few dozen kb/sec up. Rock solid, more than I can ever say for either of the Linksys routers.
I found pfSense: The Definitive Guide to be a decent dead trees source for getting started with pfSense.