Hi, Dan. I do something much like this - using a router to isolate NVR network from client's side of network, at least.
Most of my customers are small enterprises, or remote facilities with minimal LAN infrastructure. Usually, just a local WAN router/modem and maybe a switch, and a few cable 'homeruns' to local appliances.
Almost every surveillance network I deploy is 'insulated' with a gateway router - including cameras (which, if IP, are just another computer host, with similar security risks). I run dedicated Cat5/6 cable for these networks, and almost never use/resuse any local LAN - I trust it less than they trust me.
I use a very powerful but inexpensive router as the gateway, as you describe. The NVR and all cameras are NAT'ed behind it. I use 'typical' firewall rules to help protect the router from attack, tarpitting what falls through. To 'slow down' potential hacking via administrative login (either local or remote), I use double port knocking rules and, of course, a strong password.
If the customer is unsophisticated, I'll get on thier local WAN router/modem (usually a common brand, with default user names and passwords still intact!), and set appropriate port forwarding to my gateway router. I used to 'zone' traffic from the private surveillance network, but realized that the WAN router itself was a far greater security risk to the local LAN than any attack from 'within' the private surveillance network, via a 'hack' of the remote access to either my gateway router or the NVR host itself. The principal exception, of course, is local, physical access to the NVR host box itself, and what might be done from a keyboard directly.
If they have an IT admin, then he/she puts the port forwarding rules on thier WAN router, and may create firewall rules to limit (zone) all traffic from my gateway router to the WAN. Sometimes we'll use a VPN for another layer of 'insulation,' but not usually.
Some, very anal, IT folks will put a completely separate WAN access point in place, so there is absolutely no interconnection with the surveillance network and the company's private network. Ironclad, but comes with addtional cost.
All customers have a public URL (DynDns) that I provide them, with specifc ports set for access to the NVR VMS service(s) running.
For NVR host remote administration, I used to use LogMeIn, but have recently gone to TeamViewer. I find it quicker and easier for me to use - not sure if either is more 'secure' than the other, Target notwithstanding. Again, strong passwords for TeamViewer connection and NVR host user login. No Windows Remote enabled, of course.
By the way, as you're an IT instructor, you know all the potential benefits of having a fully-featured router on your 'private' surveillance network, with regards to performance monitoring and tuning, and remote maintenance and administration. I could not be doing this without this type of architecture. Way too many truck rolls and attempts to resolve issues with the end customer at the keyboard, over the phone...
I thought everyone did something like this - at least when existing LAN infrastructure is minimal. The VPN would make it stronger, if you're not confident that the remote access method you use, combined with the private surveillance network isolation you employ, are adequate. If you're using the existing LAN, then the VPN would certainly be recommended - especially if PoS or other high-security exposures are present on it.
Sorry about the anonymous post - but I recently got my mail server hacked (by Russians), and don't want anyone trying to figure out where these installations might be in place... now, am I paranoid, or what?