- WEP protection is a joke. 8 of the 9 access points around my apartment use WEP, and it takes me an average of 5-20 minutes to get their WEP keys.
- Disabling broadcasting of your SSID does nothing if a cracker does a scan of the area (which is the first thing I do when looking for a weak access point). They can still easily see your access point.
- Restricting by MAC address helps, but it's easy for the cracker to spoof a MAC, and it's easy for them to find out what your MAC is if you're transmitting to your access point when they do a scan. They (usually) can't connect with the same MAC as yours when you're connected, but they can wait for you to disconnect or force a disconnection by sending you a de-authorization message.
- WPA/WPA2 protection is MUCH harder to get around, but doesn't work with the DS. Great =/
That said, every layer of security that you add is another annoyance that a cracker has to get through. I've given up on access points and moved to another one 'cause I didn't feel like taking the time to go through a MAC address filter.
Using a second router would work in your case, but then you have a weak link in your security. Someone could then connect to the 2nd router and have a path out to the internet, which is what you're trying to prevent. Also, if the 2nd router's access is not restricted enough, you could be allowing it access to your local network as well.
FYI: My router runs WPA2 with SSID not broadcasting and MAC filtering enabled. Obviously I can't connect my DS through this, so I had to buy the Nintendo Wifi adapter. This seemed like the best option for me as any device has to request authorization before it's allowed to use the Wifi adapted. I've already had multiple Wiis and DSs try to connect through it, and I just deny them access.