Your router and wireless access point seem OK. The switch looks suspicious, there is conflicting information in the description, some parts indicate Managed and some indicate Unmanaged. I caution against that switch specifically.
I investigated more and it seems that one can indeed perform NAT with Linux netfilter without the Masquerade action. If one knows the address of the interface, simply using the “SNAT” action with a to-address of the outbound interface will achieve the same result as using the “MASQUERADE” action, as long as the address of the outbound interface does not change.
But, this fact only matters for the actual underlying netfilter. I should have been thinking about OP’s application specifically. For OpenWRT it probably does just mean Checked->NAT, Unchecked->No NAT.
Everything you’ve said here also aligns with my knowledge!
I can add some additional information.
The Masquerade option changes how the packet rule behaves when performing in a NAT situation. When Masquerade is off, the rule is configured statically with each interface’s address when the rule is loaded. When Masquerade is on, the rule is evaluated dynamically every time against each interface’s current address.
If you are routing packets through an interface, and the interface’s address is dynamic (which is the case for most residential internet connections), you should have Masquerade ON to be able to route packets after the interface’s address changes during normal operation.
