Reworked the network. My Raspberry Pi is a real router now.

  Cable modem -> embedded router -> Raspberry Pi.

  Both  the  ISP's  embedded  router and the Pi do NAT and both act as a
  WiFi access point. This means  there's  two  subnets  and  two  SSIDs.
  Behind  the  Pi,  there's a nice 172.20/16 subnet and this is where my
  workstations are. Between the modem and the ISP's  router,  there's  a
  "default"  192.168.0/24 subnet and this is where "silly" devices live:
  Tablets, smartphones, devices of guests, stuff like that.  They  can't
  access my 172.20/16 because the traffic is firewalled.

  Also,   WiFi   on   the   embedded   router  sucks.  Very  frequently,
  wpa_supplicant can't connect. At least  not  on  my  notebook  --  the
  aforementioned tablets and phones work fine.

  Now I have an additional access point on my Pi using hostapd. That was
  surprisingly easy to set up. Works fine. Connecting to  that  is  much
  faster than connecting to the embedded router.

  Of  course,  a  Pi isn't fast, so there's no gigabit ethernet going on
  here. And I had to buy additional hardware:

    -- "CSL USB 2.0 Fast Ethernet Adapter" (ID 0bda:8152, driver r8152)

    -- "EDIMAX EW-7811UN Wireless USB  Adapter"  (ID  7392:7811,  driver
       rtl8192cu)