I think the best way to go is with the firewall option...
Why i say that?
Because think about it.
1-You will then have to do change in the configuration... thinking is on the same subnet(i mean the firewall ip address and the one you want to put on the WC. Change like the Default gateway of the WC and add internal routes pointing to the switch is routing, that if your controller is not routing because if it routing the wlan then its not possible.
2-You will have your WC with a public ip address directly whichi dont like too much that idea
3-You will be totally wasting one of the client ip addresses.. As with the firewall option you could use oneof the ip addresses that he is already using for some other port forwarding....
Anyways personally i dont like that option.... unless i dont have another choice....