The good news: we got it to bridge (as opposed to NAT) yesterday.
The bad news: When we make the default behaviour to not allow wireless traffic to leave the wireless subnet nothing works. When a user authpf authenticates the logs don't show the packets being dropped, and tcpdump from the wired network shows them getting to their destination, but the icmp echo replies/tcp acks are not making it back through, and we can't figure out why.
I think that using the 10% smarter rule we might not be able to solve this problem.
"In order to use any type of device successfully, one must be at least 10% smarter than said device" -- the 10% smarter rule.