Help needed understanding Masquerading option

In this article on setting up a guest network:
at the end of section 3 it suggests "Also enable masquerading for lan"

When I previously set up a guest network, I followed a similar but older guide, which appears to be the one here:
This does not suggest to enable masquerading for lan.

Can someone explain to me (a) what this actually does and (b) why it is recommended in the newer guide? As I understand it a NAT router does masquerading by default - i.e. the outside world sees the router's IP address, not my PCs (which are all 192.168.1.x addresses). So what difference does this tick box make? Everything seems to work as I expect with or without it ticked.

These 2 guides are for different scenarios. The dumbAP doesn't use the wan interface, there is only lan+guest. Hence the lan must masquerade the guest IPs.
In the second there is wan interface, which is by default masquerading the lan and guest IPs before the packets are sent to the ISP.


Thank you - that makes a little more sense. Please bear with me if I try to clarify my understanding.

In the "dumbAP" scenario, are we assuming that there is another router somewhere on the lan with a wan interface (a "gateway"), and that the guest interface on the "dumbAP" device forwards internet connections through the lan to that gateway, whilst preventing the guest from accessing addresses within the lan?

Also, one other thing I'm not quite clear on - the second article (the "dumbAP" one) still shows a lan => wan forwarding - why is it there if it's not used?


That is correct.

The dumbAP is the first guide. The second guide is the router with a guest interface.
In the dumbAP there are wan interface, wan zone, and lan->wan forwarding, but they are not used.

1 Like

Thanks. That makes sense. (Yes - I mis-typed - it is of course the first article that is the "dumbAP" one).

Thank you for your help so far. There is one more thing I'm not sure about though. The "dumbAP" guide adds three firewall rules, including one called "Block guest access to private network". The other guide does not include such a rule. However, when I configured a previous router using this guide I did find that (as desired) the guest devices could not access the devices connected to "lan". So why is the rule needed fro the "dumbAP"? And what stops the guest devices from accessing the lan devices for the router with the guest interface, when it doesn't have such a rule?

In the case of the normal mode, the lack of a forward rule (Guest > LAN) means that guests cannot reach the LAN. To enable inter-VLAN connections, there must be a forward rule. By default, OpenWrt does not allow inter-VLAN/inter-network communication (some router operating systems work the same way, others allow inter-network routing by default and need firewall rules to limit/prohibit connections).

For the dumb AP operation, that forward is actually necessary for the guest network to work at all, but then there are firewall rules (toward the bottom of the tutorial) that allow DHCP and DNS, but then block all other traffic to the LAN subnet.


Oh yes - I had not spotted before that in the "dumbAP" guide the guest zone is forwarded to the lan, but in the other it's forwarded to the wan. I think I understand now.

Thank you for your help, psherman and trendy. I'm impressed at how friendly and helpful this forum is, especially compared to some I've visited!


This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.