JAWUG

Client Mode wifi and lan separated ( break the bridge mode ) ie firewalled wireless interface

nvram set boot_wait=on
nvram set lan_ifname=vlan0
nvram set wifi_ifname=eth1
nvram set wl0_mode=sta
nvram set wl0_ssid=AP_requd_to_connect_to
nvram set wl0_channel=6
nvram set lan_proto=static
nvram set lan_ipaddr=192.168.2.x
nvram set wifi_proto=static
nvram set wifi_ipaddr=172.16.255.x

Ensure /etc/init.d/S45firewall is modified accordingly so that the line reading
WAN=$(nvram get wan_ifname)
becomes
WAN=$(nvram get wifi_ifname)

MAKE SURE TO DO THE FIREWALL BEFORE REBOOTING WRT

IF THIS IS NOT DONE, YOU RUN THE RISK OF BEING LOCKED OUT OF THE AP.

don't forget to nvram commit

Well done, you have just setup wrt to be a client to another network, and firewalled your local network, by setting a route to the subnet of the wireless network, you can NAT out of your LAN to the wireless users IP segment, and to allow wireless users access to services on your LAN. e.g. To forward http traffic to a local web server, add lines:

iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 80 -j DNAT --to 192.168.2.2:80
iptables -A forwarding_rule -i $WAN -p tcp --dport 80 -d 192.168.2.2 -j ACCEPT