There is no requirement to add a virtual interface on the access point.
The issue is the linksys router which is using broadcast as a method to issue DHCP address, compared to unicast of the Juniper firewall.
if you edit the firewall rules on the AP (below is from our best practice) you will see a dhcp offer convert
this converts DHCP packets from broadcast to unicast
firewall-policy default
no ip dos smurf
no ip dos twinge
no ip dos invalid-protocol
no ip dos router-advt
no ip dos router-solicit
no ip dos option-route
no ip dos ascend
no ip dos chargen
no ip dos fraggle
no ip dos snork
no ip dos ftp-bounce
no ip dos tcp-intercept
no ip dos broadcast-multicast-icmp
no ip dos land
no ip dos tcp-xmas-scan
no ip dos tcp-null-scan
no ip dos winnuke
no ip dos tcp-fin-scan
no ip dos udp-short-hdr
no ip dos tcp-post-syn
no ip dos tcphdrfrag
no ip dos ip-ttl-zero
no ip dos ipspoof
no ip dos tcp-bad-sequence
no ip dos tcp-sequence-past-window
no ip-mac conflict
no ip-mac routing conflict
dhcp-offer-convert
if the packet is already unicast, nothing will happen to the packet
regards
Andy