This is certainly an advanced topic.
If the RAP is providing a DHCP address to that wired client, you cannot do port forwarding, because the client's traffic is probably being NATTED out of the ip address of the AP for it to work. Those addresses that are assigned by the AP are NOT addressable by a port forwarding rule on the router connected to the cable modem.
Your only hope would be if you are bridging the ethernet port that the device is connected to on the RAP5 to the same VLAN as the e0 of the RAP5 and ip addresses are getting assigned by the router connected to the cable modem. Try by making the wired AP profile VLAN on that port match the "Native Vlan ID" parameter in the AP system profile. You would then be able to create a port forwarding rule from the router to the ip address of that wired client on port 4040.
Another hidden issue is that there is a system ACL that is protecting inbound traffic to the RAP5 and this ACL would have to be relaxed for any inbound traffic to a client attached to the RAP5 to be addressable from the "outside world" even if that device got an ip address from your soho router. That parameter is in the AP system profile and is called the "session-acl" parameter. That parameter is normally set to the "ap-uplink-acl" and it normally only permits NAT-t (ipsec) and bonjour traffic inbounds. That session ACL however allows traffic outbound unsolicited from any client on the AP. You would have to change that ACL to something that permits port 4040 inbounds as well as NAT-T for it to work reliably.