I quickly looked at the manual, starting on page 28-29, it looks like you can tag each SSID with a particuliar VLAN. The single port on the back of this unit would uplink into a router/switch which would need to have trunking enabled with 802.1q support and the 2 vlans you created on the unit allowed on to the trunk.
ON the router or switch, apply an acl to the rest of the network to allow or disallow the Wireless IP's.
Alternatively, you could do some creative subnetting where the local lan and wireless share the same subnet and vlan (served by the same dhcp) and the public vlan is on another subnet. Routing both outbound, but isolating them from each other....