Can I isolate two wired subnets?

HI daveotto and welcome to the business forums. 

I appreciate you posting your question on your network. Since this does deal with your personal network, I am not able to say much on this due to our demarcation policy. However, I can say that this would be entirely dependant on what you're trying to accomplish and how you have your current network. Are you currently using the leased gateway in bridge mode or passthrough mode?

https://forums.businesshelp.comcast.com/t5/Equipment-Modems-Gateways/True-Bridge-Mode-vs-Pass-Through-Mode/m-p/21260#M2402

Multiple DHCP's within a single network could cause some conflict. 

I understand what you mean and are you using a static IP by chance? If so, you would not want to run bridge mode. 

Hi Comcast_Phil,

It's not in bridge mode, it's functioning as a normal router right now.  I also have a single router behind it, and there is forwarding from the gateway to my router, then from there to my surveillance DVR so I can check it from home.

I know, I could use bridge mode and just forward once, but I always expected that someday I would put another router back there and keep two different isolated subnets.  Basically this is because I will have somebody working in my building for some time who needs (wired) internet access but I want to make it impossible or at least pretty tough for them to get at anything on my main subnet.

Thanks,

DaveOtto

No, it's not a static IP, it's standard comcast dynamic.

daveotto, I've checked a few networking forums and it looks like you can do so if you enable NAT on both modems.