Dumb AP & Guest Wi-Fi - Wrong instructions / review necessary?

WAN port, by the simple luci settings, we can let the WAN port added into the LAN zone, then use WAN port (cable) to connect ISP for the dumbAP, we could get 4 Lan physical AP ports, otherwise only 3 of AP Lan ports.

WWAN port (WiFi client mode), same wifi port for the ISP connection and WiFi-AP, no cable connection to the ISP.

To me it looks the masquerading is happenging from wan to internet and from lan to wan.

The details of this will vary depending on the hardware in use. Therefore, it is better to approach on a case-by-case basis rather than a generic guide (the dumb AP guide can be used for any device, even one that has just one ethernet port).

Also, it is important to make it clear that the dumb AP config specifically assumes that there is an upstream router. the phrase "then use WAN port to connect ISP (cable) for the dumbAP" can be confusing -- there must be a router (which may or may not be from the ISP) ahead of the dumb AP. The quoted section could be interpreted as the direct ISP connection (without a router), and that would be an incorrect use of the dumb AP.

This is not a dumb AP, but rather a repeater type configuration. This is usually handled by WDS, Mesh, or relayd.

A dumb AP refers specifically to the case where there is a wired uplink and no routing (just simply bridging wired-to-wireless).

1 Like

In this situation, the device is operating as a dumb AP. There is no wan connection, only a lan. When we add a routed network (i.e. the guest network), we must enable masquerading on the lan zone.

The fact that masquerading is still enabled for the wan zone is really just vestigial. It can be removed, but it doesn't do any harm -- it has no function since there is nothing on the wan port/wan firewall zone.


I can not see the masquerade from guest to lan in the picture.

Look at the very last image before section 4 begins. It shows masquerading on the lan zone.

This is the picture I see. There is no tick in the masquerade box in guest 2 lan forward.

masquerading is not required on the guest network. It is only needed for the upstream network (in this case the lan).


Agree! you always let us know the right concepts on this. But,

WAN port, my solution, uses it as one more "LAN port" for the AP, better than wasts it no-use.

WWAN function for the dumb-AP, no cable connection to the Router, as a completed dumb-AP setup instructions, better to tell the reader how-to use the WWAN to connect to the router.

Yeah... I think this makes a lot of sense and is a good option for those who want all the physical ports they can have. But this is not universal in terms of the configuration methods to do this... for example, it doesn't apply to a device with just one ethernet port. And for devices with multiple physical ports, there are 3 different ways in which this might be accomplished with syntax that depends on the device itself: bridging what are normally individually routed ports, swconfig, or DSA. As such, there is no 'generic' description of how to do this. And that is why it doesn't belong in the tutorial in question.

For clarity, WWAN usually refers to "Wireless Wide Area Network" (typically the internet), so in most cases a wwan based config assumes you'll be using routing.

Even if you're really talking WLAN ("Wireless Local Area Network"), you are still talking about one of 4 scenarios (routing, mesh, wds, or relayd) -- all of which are distinctly different than the dumb AP config, and all of which have tutorials already available. This is why it doesn't belong in this tutorial.


I still can imagine a caveat in returning traffic routing. Also the usage of the wan in dumb access point is creepy to me.

Please elaborate. What is the situation you are referring to?

There is no wan in a dumb ap config. So what is it that concerns you?

How does the upstream router know how to route the returning fraffic unless the guest network addressrange is not masguearaded into lan interface address ?

The picrure is showing wan zone eventhough it might not be including wan interface.

This is why masquerading is enabled on the lan firewall zone. The upstream router doesn’t need to have any knowledge of the guest network.

The wan network interface is associated with the wan firewall zone by default. This protects the router and the lan from an untrusted upstream network on the wan.

However, it is unused because there is no wan connection in the first place. There is no harm for it to be there, but can also be safely removed.

1 Like

Plese explain me where in the picture the guest network is masqueraded into lan ? The text is correct, the luci picture is wrong. :wink:

This picture is correct.

Masquerading is applied to the outgoing zone. The lan zone has a check in the masquerade box.

Then forwarding is allowed from guest > lan.

1 Like

The LuCI Pictures are missleading, I had similar issues.
The "masquerading" is NOT set for the two networks that are in the same line.
"Masquerading" is only applied to ONE zone. And the zone is first in the LuCI Picture.

So in this case, "masquerading" is applied to LAN. It does not matter that WAN is in the same line .. its just the allowance of non existing forwarding.

The real / clean picture looks like this:

this picture makes it so much clearer what is relly going on in dumbAP + Guest.
But I did not want to change the guide to much in this direction and clean all WAN stuff.

In other words .. in the dumb AP + guest szenario,
"Guest" is the new LAN
LAN ist the new WAN

1 Like

Thank you.

1 Like

you are very welcome.
as written in my starting statement, i am a bloody beginner.

but guys like vgaetera and peter sherman do so much work explaining whats really going on that people like me are able to understand pieces of the big picture - and are even able to do some documentation-work on specific isolated topics.

party on :slight_smile:

1 Like

Yeah.... now I see where some of the confusion may be...

The way to read the GUI under "Zones" is (on a per-line basis):

  • at the far left is the zone name (lan, guest, wan, etc.)
  • Next we see the zones to which forwarding allowed (i.e. the destination zone; the source zone is the one we find at the far left)
  • Then we see the zone level rules (input, output, forward) -- these apply only to the zone name on the far left of the line
  • Finally, masquerading (again, applies only to the zone at the beginning of the line)

Another potential area of confusion is this...
the lan zone has masquerading enabled. The guest zone is not 'masqueraed into lan' but rather it is routed to the lan, and masquerading is applied to the lan zone.

Masquerading is simply the idea of having one or more networks 'hide' behind the IP address that the router holds on the upstream network. Normally we think of this for the wan -- the ISP issues a single IPv4 address, and we must apply masquerading such that our lan (and possibly other networks) can share that single address. This is true anytime there is a downstream IPv4 network on a router where the upstream network has no specific knowledge of (i.e. static route to) said network. You can think of it as an office or apartment building's street address... the postal service doesn't need to know every internal address within the building, as long as they know the street address so they can deliver mail to the building as a whole. The mailroom within the building is responsible for distributing the mail to the individual occupants.

Meanwhile, it is perfectly valid for masquerading to be enabled on multiple zones that form an upstream connection[1]. In the case of the dumb AP, the wan network and wan zone are just simply not used. There is no harm in leaving the network/zone (and masquerading on the zone) enabled since it isn't active.

  1. In the event of multiple upstream networks (for example, multiple wans, VPNs, or a combination of both), masquerading would normally be enabled (and required unless static routes are installed on the upstream router) on any network(s)/zones that serve as an upstream. In this case, policy based routing (PBR and/or mwan3) is needed to appropraitely direct traffic to the correct upstream network. But, none of this is relevant to the dumb AP configuration because there is only one upstream network -- the lan -- and we need masquerading enabled there unless static routes are installed on the main router. ↩︎