sorry, what do you want me to check? if ticking masquerade in
lan => wan
would not work?
It does work! I wanted to understand,
1st - what is the difference?
2nd - how can it work without being masqueraded?
I saw in tcpdump that the traffic is indeed leaveing masquerading (of course, it would leave as a local address for sure...). So the question is only, what does the tick does and should I tick it? or it does nothing?
You don't need to masquerade traffic to pass it between the LAN and WAN interfaces. It's all still in the router and can use private IP address. It only needs to masquerade when it leaves the WAN interface to the public internet, which is why that's the only one ticked by default.
And the zone is X ? is this right ? (ANY matches all zones)
"ACCEPT" "INPUT" means accept traffic going from ANY to X,
"ACCEPT" "Output" means accept traffic going from X to ANY
"ACCEPT" "FORWARD" means accept traffic going from X to Y
INPUT refers to any traffic entering the router on an interface in the zone. OUTPUT refers to any traffic leaving the router on an interface in the zone. FORWARD refers to any traffic passing between interfaces within the zone.
So, in the default OpenWRT setup:
LAN - traffic can enter or leave the router on any interfaces within the LAN zone. It can also be forwarded between interfaces in the zone.
WAN - traffic can leave the router from interfaces within the WAN zone. Any traffic entering the router on an interface within the WAN zone will be rejected (unless there's a firewall rule allowing entry). The same is the case for any traffic forwarded between interfaces in the WAN zone.
This is all separate to the Zone ⇒ Forwardings which you see in Luci. That column relates to what traffic can be internally (i.e. within the router) forwarded between zones. So again, in a default setup, traffic can freely be forwarded from the LAN zone to the WAN zone, but no traffic can be forwarded out of the WAN zone (unless there are firewall rules allowing entry).
I think you're getting stuck in the idea that LAN and WAN (as defined by the OpenWRT firewall) are single interfaces. They're not, they're a construct designed to logically set out various 'zones' and can contain multiple interfaces. A common example for this is the LAN zone containing LAN and VPN interfaces.
FORWARD is for traffic in the zone, so is only applicable if you have multiple interfaces in that zone. Traffic passing between zones is controlled by the zone forwarding rules, i.e. X=>Y.
Last reject rule is based on the General Settings, which apply when an interface does not belong to a zone.
From there actions depend according to what you have configured.
[10935:891784] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[740:72143] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to iot forwarding policy" -j zone_iot_dest_ACCEPT
[740:72143] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to roadwarrior forwarding policy" -j zone_roadwarrior_dest_ACCEPT
[26:1759] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[714:70384] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
If you look at a zone itself then it is like you said and others confirmed already. All devices within a zone are subject of zone rules. Look at those zones like on a black box:
---->| LAN |----> ---->| WAN |---->
IN -------- OUT IN --------- OUT
Masquerading is just a technique to bridge/(route between) different subnets. So if your traffic is passed from lan => (to) wan then it is still transparent (not masqued) until the traffic is passed from wan => (to) ISP-LAN. If the package is leaving wan zone then it is getting masqued/tagged. So wan has the same possible chains as LAN or any other zone.