I think you could take some inspiration from a different scenario (but not so different from yours).
I’ve asked in the past here http://www.zeroshell.net/forum/viewtopic.php?t=1807&highlight=
The scenario was for TWO ethernet cards (one is WAN and the second manages multiple VLAN with a VLAN capable switch), where just one VLAN was visible to the others (#198 in my case).
Maybe this could help…. I hope!