For access points in my home network that sit behind my main modem router, DNS, DHCP server & firewall services aren't required. With the exception of DHCP client which are required for the AP to get its own IP (IPv4&6) addresses.
This is easily done by bridging wired & wireless network connections. And stopping & disabling dnsmasq, firewall & odhcpd in the System ¦ Startup tab.
Can one go further by not including the functionality in the firmware build?
DNS seems easy enough. Delete 'dnsmasq` in the ASU.
DHCP Server is tricky in that IPv4 seems to be provided by udhcpc wich is apparently part of BusyBox toolbox, and IPv6 DHCP services by odhcpd-ipv6only. Presumably odhcp6c is required for DHCP IPv6 client.
Firewall services seem more complicated still. Deleting firewall4 from the pack list results in the package firewall (Firewall3?) being included. This is a dependency of luci-app-firewall-* which is a dependency of luci-light-*.
Unless size is paramount (maybe on 8 MB flash devices), it's usually smarter to correctly configure these to ignore the desired interfaces, rather than disabling initscripts or building images without the packages. That way they are upgrade safe, aren't in the way and you don't get undesired side effects (e.g. on upgrades).
They would become handy if you try docker or lxc, masq serves local dns anyway for eg package manager's wget.
Once config files neutralize service you can disable/remove them as you want, no harm if they come back later.
Let's suppose your main router fails, and you want to reuse one of the AP as main router: it doesn't have the required services and functions. So it's better the keep them on the device, even if unused. As already answered, just neutralize the services when you don't need them. But they are still available if needed, you just have to reset/reconfigure the device to have a plain functionnal router.
"Neutralizing" the services doesn't even need to be as significant as has been discussed.
For dnsmasq, simply disable the DHCP server on lan (option ignore '1')
For firewall, do nothing, but make sure that the network interface that you're using for managing the AP is in the lan zone (or in a zone with input set to ACCEPT) so that it can always connect to the administrative surfaces even if the firewall is active.
The firewall will sit entirely idle since all traffic is flowing at L2 (the firewall is only involved for L3/routed connections). And so is dnsmasq since there's already presumably an upstream DHCP/DNS server. The two services thus consume very very little RAM. It is true they occupy flash storage space, but that only matters on devices with very limited capacity (8MB).
The AP configurations that seem to be most often implicated in problems are those where the users have extensively modified the firewall/DHCP configs and/or the actual images (trying to remove parts of the system). That is why I recommend leaving things intact while disabling the DHCP server explicitly.
More context might assist in understanding the motive behind my question. That is over & above Colin Chapman's famous maxim, "Just add lightness!" as the solution to most engineering problems.
For different reasons, both my TP-Link EAP615-Wall v1 and EAP235-Wall access points aren't able to run SNAPSHOT thanks to kernel memory constraints. It is possible that leaving out the three pieces of functionality doesn't change that, but I thought I might try.
I have more than one pre-configured backups for my router (and APs) ready to go, such is my OpenWRT tweaking habit & my ability to break perfectly functional devices.
Like most on this forum, I'm pathologically curious.
In terms of dnsmasq supporting local wget, even with the local service stopped & disabled, wget works, so I suspect the service running on a local router is sufficient.
That said, summarising the valuable input above, for which my thanks, & further testing:
Excluding DNS, DHCP server & firewall services is not recommended, trivial or hugely/potentially beneficial.
There is more than one way to stop/disable these services.
I recommend to use the image builder locally, remove all packages not needed and bake in config files.
It's slightly more work because you need to do this for every release.
I do the configs on the device and when I have ensured they work I transfer them to my PC, check them into git, build new images and flash these.
All access points share more or less the same minimal config with only minimal overwrites for each device... There are more then 1000 ways to do this.
But, IMO, this is a fair amount of work for little to no practical gain. It's not that it's a problem to slim down the config, but it makes for unnecessary 'busy-work' to do this, and also makes it harder to re-purpose the device (for example, as a replacement main router in a pinch) should that ever be necessary (you'd likely need to re-flash the device with a standard/default image).
To each their own, of course, but the KISS theory would say just use a standard image and then disable (via explicit config optoins) the services that need it, leave the rest of the services alone.
Sure but also not sure but why not. I had never the personal use for these tools nor did I ever found the drive to have a closer look at them.
I have an bash script environment which "simplifies" my use case and usage and I know from every "real enthusiast" that everyone has their personal own too
My personal issue with web hosted builder is that they waste resources and bandwidth. In my environment each package needs to only be downloaded once because of a local cache for each target device image builder... But sure for many people who take the step from first cold water to the warm blanket these helpers and Internet build services are great.
