Once I disabled the annoying bridging I ran across a problem. My wireless devices couldn’t get internet access. I have very little experience with iptables but I was able to get enough out of reading the default firewall rules that I could enable NAT for the wireless interface. I added the following to /etc/firewall.user:
WIFI=$(nvram get wifi_ifname) iptables -A FORWARD -i $WIFI -o $WAN -j ACCEPT
And now I have everything I wanted. My NFS stuff is protected from the wireless devices. My next project will be to setup ipsec stuff so that authenticated wireless devices will have nfs access.