That was it, I selected the "authenticated role" and re-connected laptops as well as airdroid's to the wifi.
Now TerminalServers are accessible from wifi , and Airdroid webservers from LAN !
Chances are I'll ask some pointers next for my first "remote" accesspoint, on a private Wan, in split tunneling mode : I want to control it centrally, but for all other intents and purposes the AP needs to break out remotely and use legacy routing if it needs a resource in the Core. I want remote wifi clients to print remotely without going back and forth over the WAN.
That was the real purpose of the NGF install.
Thank you very much !
Ward