It's a RB5009 on routeros7 (openwrt does not seem to be stable on it yet). Frankly speaking, routeros is intimidating and since 4g coverage of my new apartment is abysmal I don't have a backup link if I screw it up. And it was pretty much the only piece of hardware checking all the boxes on the fiber side (well, aside enterprise stuff for a lot more).
Either way, turning on masquerading on lan interface seems to have provided the expected double NAT. Setting up guest WLAN on a dumb AP (Part 2) nudged me towards that. Is there anything wrong with the approach security wise?
I think removing dumbap in the title would be justified considering that it people generally seem to understand bridge lan/wlan under it and decidedly not the standard router config...