If guests are going to be offered unfiltered access to the internet, then it is a simple solution: buy a router with guest access.
I purchased the Netgear WNDR3700
recently and so far it has been a rock solid router.
There are two networks, 5 GHz and 2.4 GHz, and each network has an optional guest network that will be granted access to the internet but not to the internal network.
If he wants a business end router, I suggest something like the Cisco WRVS4400N
, which can manage network ports and put them on a different subnet. Then you can add a WAP and place it on the secluded port. The only advantage over the Netgear is that the Cisco offers VPN access.