I'm the IT guy at a real estate school. I've got a basic small office network with internet access through a cable modem. The cable modem has a built in router and 4-port switch, but we've got it set to forward all ports to another router that we prefer to use for routing. It's a Linksys 4-Port/Wireless 802.11b (BEFW11S4). We've also got a couple of switches hooked up to the Linksys to allow multiple computers and network printers to connect through the 4 ethernet ports on the Linksys router. The whole building is wired with ethernet ports in all the rooms, so we'd like to enable our students to access the Internet, but not allow them to access our office computers.

So now I need to set up a separate part of the network so that it has access only to the internet, but not to any of our internally networked machines. I'd really like to enable the wireless part of the router so we can offer both wired and wireless access, but I'm really not sure the best way to go about setting this up. I'm thinking that I can probably just hook a different router up to a different port on the cable modem's built in switch and that should, in theory, not have access to the rest of our network. But I really don't know.

Can anyone suggest anything, or point me toward a good tutorial on running two separate networks that access the same cable modem?

we've got it set to forward all ports to another router
I don't know why you forward the ports. Seems unecessary. Remove the forwarding.

hook a different router up to a different port on the cable modem's built in switch
Yes, but it only needs to be a switch, not router.

The DHCP service needs to be enabled in the modem-router.

Thanks for the info.

We have to forward all the ports from our cable modem's built-in router to our internal network's router since Comcast sets their built-in routers to block every port except 80 by default (commercial accounts only I think). Since we have an extra router that I actually like and know how to configure, we just set it up on a DMZ so I don't have to manually forward ports every time I have an application that needs another port open. They don't even enable FTP by default. So yes, I do have to forward all the ports or I can't FTP, SSH, Telnet, SFTP, Run a remote debugger...etc.

Anyway, I tested my setup and it seems to work. The classroom computers can't see the office computers and vice versa. So I'm just hoping there's no gaping security risk now. Tomorrow I'm going to reverse the setup so the classrooms can use the wireless router since all our work machines are hard wired.