You are assigning a network into a firewall zone. A network may only be a member of one zone.
In the case of a 4G modem, the upstream network is usually "the internet" via an untrusted network (i.e. not under your control -- it is the cellular provider's network). Therefore, it belongs in the wan zone. The same would be true for a cable/dsl/fiber/satellite connection -- you'd associate that network with the wan zone unless you can trust the network itself.
The firewall is setup (by default) such that the wan zone is considered untrusted. It does not allow the upstream network to connect to the router's services (i.e. ssh/web admin, as well as any other services running on the device), nor can it make unsolicited connections to your trusted networks (i.e. your lan).
Further, in the case of IPv4, you will usually only have one IPv4 address to share with all the devices on your network. Therefore, masquerading is applied to the wan firewall zone to enable this sharing.
The lan zone is fully trusted and has full access to the router itself and it may initiate connections out to the internet as would be expected.
what @psherman said, why would you like it to be in both, do you want to bridge the modem ?
Ah..thank you.
I was assuming that it was providing a firewall for devices attached to the downstream when in fact the firewall is attached to the upstream.
It does make sense now. 
The firewall is attached to all interfaces, upstream and downstream. You can think of it like an international border crossing -- there are passport officials on both sides who will check your credentials when entering their country. (yes, the firewall is actually more sophisticated than that simple analogy, and you can have rules for both ingress and egress, but the point is that the firewall applies to all (managed) interfaces whenever traffic is being routed from one network to another).
