|Yes, the built in Firewall of a Wireless Router/Gateway applies only to the WAN ports and not the LAN ports and the Wireless Bridge that connects the Radio to the LAN. |
You can setup a hardware firewall between your WAP and the LAN but this would be a configuration nightmare. What is the WAP used for? Is it only to provide internet access to the users or does it need access to the domain? Do you have a managed Switch if so then you could setup a VLAN to give the WAP access to only the Internet not the LAN?.
If you need to give access to the LAN and want to secure your WAP then I recommend using a combination of WPA2 WiFi encryption, Hide your SSID, MAC Filtering and Setup the Access Times on the WAP to only work during business hours.
That being said, these items can be defeated through...
MAC Filtering - MAC Spoofing
Hidden SSID - Net Stumbler
WPA2 - Cain and ARP injection. (But a really long password like 32 characters will make it almost impossible)
I used a 32 character random password for my WAPs because once you setup a profile you only need to enter the password once and with a Flash Football it makes it easy.