In an ideal situation, you'd hang the AP off of a DMZ interface of your firewall. I'm not familiar with the Watchguard line, but a quick look at their website indicates that most of their boxes have more than enough interfaces to handle this type of configuration. You can then allow clients who connect to your AP to either VPN into your internal network (if the FW supports it), or just allow the clients on the DMZ access to the outside world to surf the net.

--Ben