This is my solution, although my ISP box has no WiFi, thankfully. Their box is a totally locked down, "business" service bridge. Behind that is my MikroTik RB5009UPr+S+in, doing packet filtering, NAT, VLAN, PoE to access points, etc. I don't really care about the ISP box.