A VLAN would work also some routers have setting you can enable to separate the wired connection with the WiFi connection. I would look in to this first, it might be cheaper and easier to configure then VLANs, but VLAN will also give you more control on who get access to what.
I have been using one of these routers
http://www.newegg.com/Product/Product.aspx?Item=N82E16833124082
It will do what you are trying to do, You can setup VLAN, you can also setup the wireless so it looks like multiple access points with different names (aka SSID). So you could have an access point for customers that just goes right to the internet, and you could have an access point for your staff, that goes to the wired connections as well as internet.
It all so supports VPN so you can connect up remotely