WAN port, by the simple luci settings, we can let the WAN port added into the LAN zone, then use WAN port (cable) to connect ISP for the dumbAP, we could get 4 Lan physical AP ports, otherwise only 3 of AP Lan ports.
WWAN port (WiFi client mode), same wifi port for the ISP connection and WiFi-AP, no cable connection to the ISP.
The details of this will vary depending on the hardware in use. Therefore, it is better to approach on a case-by-case basis rather than a generic guide (the dumb AP guide can be used for any device, even one that has just one ethernet port).
Also, it is important to make it clear that the dumb AP config specifically assumes that there is an upstream router. the phrase "then use WAN port to connect ISP (cable) for the dumbAP" can be confusing -- there must be a router (which may or may not be from the ISP) ahead of the dumb AP. The quoted section could be interpreted as the direct ISP connection (without a router), and that would be an incorrect use of the dumb AP.
This is not a dumb AP, but rather a repeater type configuration. This is usually handled by WDS, Mesh, or relayd.
A dumb AP refers specifically to the case where there is a wired uplink and no routing (just simply bridging wired-to-wireless).
In this situation, the device is operating as a dumb AP. There is no wan connection, only a lan. When we add a routed network (i.e. the guest network), we must enable masquerading on the lan zone.
The fact that masquerading is still enabled for the wan zone is really just vestigial. It can be removed, but it doesn't do any harm -- it has no function since there is nothing on the wan port/wan firewall zone.
Yeah... I think this makes a lot of sense and is a good option for those who want all the physical ports they can have. But this is not universal in terms of the configuration methods to do this... for example, it doesn't apply to a device with just one ethernet port. And for devices with multiple physical ports, there are 3 different ways in which this might be accomplished with syntax that depends on the device itself: bridging what are normally individually routed ports, swconfig, or DSA. As such, there is no 'generic' description of how to do this. And that is why it doesn't belong in the tutorial in question.
For clarity, WWAN usually refers to "Wireless Wide Area Network" (typically the internet), so in most cases a wwan based config assumes you'll be using routing.
Even if you're really talking WLAN ("Wireless Local Area Network"), you are still talking about one of 4 scenarios (routing, mesh, wds, or relayd) -- all of which are distinctly different than the dumb AP config, and all of which have tutorials already available. This is why it doesn't belong in this tutorial.
The LuCI Pictures are missleading, I had similar issues.
The "masquerading" is NOT set for the two networks that are in the same line.
"Masquerading" is only applied to ONE zone. And the zone is first in the LuCI Picture.
So in this case, "masquerading" is applied to LAN. It does not matter that WAN is in the same line .. its just the allowance of non existing forwarding.
you are very welcome.
as written in my starting statement, i am a bloody beginner.
but guys like vgaetera and peter sherman do so much work explaining whats really going on that people like me are able to understand pieces of the big picture - and are even able to do some documentation-work on specific isolated topics.
Yeah.... now I see where some of the confusion may be...
The way to read the GUI under "Zones" is (on a per-line basis):
at the far left is the zone name (lan, guest, wan, etc.)
Next we see the zones to which forwarding allowed (i.e. the destination zone; the source zone is the one we find at the far left)
Then we see the zone level rules (input, output, forward) -- these apply only to the zone name on the far left of the line
Finally, masquerading (again, applies only to the zone at the beginning of the line)
Another potential area of confusion is this...
the lan zone has masquerading enabled. The guest zone is not 'masqueraed into lan' but rather it is routed to the lan, and masquerading is applied to the lan zone.
Masquerading is simply the idea of having one or more networks 'hide' behind the IP address that the router holds on the upstream network. Normally we think of this for the wan -- the ISP issues a single IPv4 address, and we must apply masquerading such that our lan (and possibly other networks) can share that single address. This is true anytime there is a downstream IPv4 network on a router where the upstream network has no specific knowledge of (i.e. static route to) said network. You can think of it as an office or apartment building's street address... the postal service doesn't need to know every internal address within the building, as long as they know the street address so they can deliver mail to the building as a whole. The mailroom within the building is responsible for distributing the mail to the individual occupants.
Meanwhile, it is perfectly valid for masquerading to be enabled on multiple zones that form an upstream connection. In the case of the dumb AP, the wan network and wan zone are just simply not used. There is no harm in leaving the network/zone (and masquerading on the zone) enabled since it isn't active.
In the event of multiple upstream networks (for example, multiple wans, VPNs, or a combination of both), masquerading would normally be enabled (and required unless static routes are installed on the upstream router) on any network(s)/zones that serve as an upstream. In this case, policy based routing (PBR and/or mwan3) is needed to appropraitely direct traffic to the correct upstream network. But, none of this is relevant to the dumb AP configuration because there is only one upstream network -- the lan -- and we need masquerading enabled there unless static routes are installed on the main router. ↩︎