The first thing is will the networks need to be able to cross-communicate in some way? In other words, will you have to send network traffic from one network to the other, such as monitoring software, printing, or domain control?
You would need to get an additional router. Your Qwest modem is going to be the primary internet connection, and it should have two routers connected to it only. One router will act as the default gateway for your private network, the other will be the default gateway for your public network.
Even though the above configuration does give you two separate networks, both with access to the internet, it doesn't really block network traffic between the separate networks. You need a firewall for this, and with a firewall you could use just a single device instead of three routers.
Given what you have described, it is hard for us to tell what to recommend, what you need, and what issues you might come up with. A little more detail on your situation and what equipment you might be using would be helpful in getting a more detailed response.
-The two networks, at this time, do not need to communicate or "see" each other's traffic.
-I can get an additional router no problem, so each subnet will have its own default gateway.
- To separate the two networks without using a firewall couldn't I just give each default gateway a subnet? For example subnet 1 has network ID of 192.168.1.0/27 and use DHCP on the router to hand out addresses between 192.168.1.1 ~ 192.168.1.30 and subnet 2 had a network ID of 192.168.1.32/27 and use DHCP on the router to hand out addresses between 192.168.1.33 ~ 192.168.1.62
I have a diagram drawn but I don't know how to post it.
Using 2 subnet masked on the same switch group ie vlan is not security. All the users do is change the subnet mask.
The way to do it without a firewall is to have a main router. Then attach a router for each network behind it and add any addition switches to each router. I would actually use the SAME subnet behind each router since it then prevents them from going up to the main router and back to the other side.
You could also just plug one router into the other WAN to LAN. So if you plugged the customer router into the employee router lan port it will work but it will also allow the customer to get to the employee network but not the reverse. If you went the other way around your employees could get to the customer network but the customers could not get to the employee. The disadvantage in either case is the traffic must pass though 2 nat on the router that is plugged into the lan of the other.
There are also routers or layer 3 switches that support vlans so each can have a separate network and you can filter traffic. A router that you can load DD-WRT would also give you these features, you could put different subnets on different lan ports and plug switches into those.