So if eventhing is 1 flat network then no pfsense has zero to do with any stun problem with AP talking to your controller.

As to vlan.. Simple enough to do yes.. Create another SSID, lets say its ssid-guest, put a vlan ID on it - lets call it 100.

Then on the switch port connected to your AP set vlan 100 as tagged. On switch port connected to pfsense also tagg vlan id 100.

On pfsense create a vlan, lets make the network 192.168.100.0/24 pfsense IP 192.168.100.1 and put this vlan on the physical port your lan is on. There you go other than creating the rules you want on this new vlan your done.