I'm trying to understand the way firewall rules function on the wireless AP (MR devices). Unlike traditional firewalls where you have an inbound and outbound interface, how exactly are the rules applied to a wireless user for each request? The rules aren't applied to the uplink interface, correct?
When configuring firewall and traffic shaping rules via the wireless menus in an MR configuration, those firewall rules are applied to every user/client request on the wireless side of the AP, so you can have L3 and L7 firewalling right at the edge without needing to place any blocked traffic on the wired side and rely on some other firewall further upstream. You can set firewall and traffic shaping rules on an SSID by SSID basis, and you can also do it in group policies. You should be able to confirm by setting a FW rule on a wireless SSID and then run a packet capture on the wired/LAN side of the AP and see that the firewalled traffic is not traversing the AP's uplink to the switching infrastructure. More info here https://documentation.meraki.com/MR/Firewall_and_Traffic_Shaping/Firewall_Rules