@Matthew3 we're working on a VLAN solution for the clients (still waiting for final schedule), and in 2.0.2 in addition to client isolation, we've added DHCP rogue server prevention, and multicast/broadcast/unicast flood prevention. So this will prevent ill-connected routers from impacting upstream and the wireless network.
Regarding the L3 termination (since the C5 will remain as a bridge), if you don't want to add a router of your own (MikroTik or Mimosa G2, etc.), is to control the customer 3rd party router which typically is unknown MAC address, etc. which can be a bit of a pain of course to setup static IP. To make this seamless to manage, we are adding Option 82 on the A5 to protect the network DHCP server, and properly serve the right IP address to the customer router by injecting the known MAC of the C5 into the DHCP relay request. This of course assumes the C5 MAC/customer relationship has been associated and information available in the DHCP server tables or via Radius (Radius is the typical Option 82 lookup solution with DHCP servers).
Hope this helps, not entirely there yet, but the Option 82 solution is a very popular option with a lot of the WISPs we've talked with.