Many routers actually allow a guest network, with separation from the private network under a different SSID with a different security model / passkey – my NetGear does. Worth checking, the range might be sufficient for his needs.
Sharkbait has the answer if that physical separation of the guest AP really is necessary.
EDIT: Depends on your level of paranoia. Different subnets would hide the private network / broadcast domain to a casual observer, but if this is to provide public access to unknown guests, I would say that isn’t sufficient – if it’s physically possible to bridge there’s usually a logical way to do it.