wAP + hAP ax3 LTE passthrough, IP address but no ping/internet

Forage · July 27, 2023, 5:38pm

Hi,

I’m in the process of restructuring my home network but I’m already stuck at the first step for no obvious reason.

I want to set up LTE passthrough from a wAP to a hAP ax3. The steps I took come down to basically what’s been explained in the Mikrotik video: https://youtu.be/IZFAeLbujso

With passthrough not yet activated I have internet on the wAP. As soon as I activate passthrough even pinging results in only timeouts on the wAP as well as the hAP. The hAP net vlan gets an IP address from the provider, but no internet access.

I looked at similar tutorials provided, I checked the forum for similar issues, I reduced the configs by removing some more default settings just in case, I verified and changed different routes, all to no avail.

I have the feeling it’ll be something simple like a single firewall rule to change, but I’m pretty lost.

wAP export:

# 1970-01-02 04:40:19 by RouterOS 7.10.2
# software id = ET4X-ZJMR
#
# model = RBwAPR-2nD
# serial number = xxxxxxxxxx
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    country=france disabled=no distance=indoors frequency=auto installation=\
    outdoor mode=ap-bridge ssid=MikroTik-95CFF4 wireless-protocol=802.11
/interface vlan
add interface=ether1 name=vlan10-net vlan-id=10
add interface=ether1 name=vlan20-man vlan-id=20
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
add apn=free name=Free passthrough-interface=vlan10-net passthrough-mac=\
    48:A9:8A:B8:C8:76
/interface lte
set [ find default-name=lte1 ] apn-profiles=Free network-mode=lte
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk,wpa2-eap mode=\
    dynamic-keys supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=yes interface=wlan1 lease-time=10m \
    name=defconf
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=wlan1 list=LAN
add comment=defconf disabled=yes interface=ether1 list=WAN
add disabled=yes interface=ether1 list=LAN
add disabled=yes interface=lte1 list=WAN
add interface=vlan20-man list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf disabled=yes interface=wlan1 \
    network=192.168.88.0
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
add interface=vlan20-man
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system identity
set name="MikroTik wAP"
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

hAP export:

# jul/27/2023 13:52:18 by RouterOS 7.8
# software id = 51YS-DT88
#
# model = C53UiG+5HPaxD2HPaxD
# serial number = xxxxxxxxx
/interface bridge
add admin-mac=48:A9:8A:B8:C8:77 auto-mac=no comment=defconf name=bridge
/interface wifiwave2
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=\
    10min-cac .width=20/40/80mhz configuration.mode=ap .ssid=MikroTik-B8C87B \
    disabled=no security.authentication-types=wpa2-psk,wpa3-psk
set [ find default-name=wifi2 ] channel.band=2ghz-ax .skip-dfs-channels=\
    10min-cac .width=20/40mhz configuration.mode=ap .ssid=MikroTik-B8C87C \
    disabled=no security.authentication-types=wpa2-psk,wpa3-psk
/interface vlan
add interface=ether1 name=vlan10-net vlan-id=10
add interface=ether1 name=vlan20-man vlan-id=20
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
add bridge=bridge interface=vlan20-man
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf disabled=yes interface=ether1 list=WAN
add interface=vlan10-net list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
add interface=vlan10-net
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system identity
set name="MikroTik hAP ax3"
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

What could be preventing internet to work in passthrough?

Forage · July 28, 2023, 8:30am

Just in case I disabled all firewall rules (wAP and hAP), but it doesn’t fix the issue.
I also performed an offline update from 7.8 to 7.10 yet still no luck.

When I perform the ping I get the following as a result, where the “host unreachable” IP address is the address obtained from the provider.

[admin@MikroTik hAP ax3] > ping 8.8.8.8 

  SEQ HOST                                     SIZE TTL TIME       STATUS                                                                                                                                    

    0 10.157.214.244                             84  64 792ms950us host unreachable                                                                                                                         
    1 8.8.8.8                                                      timeout                                                                                                                                   
    2 8.8.8.8                                                      timeout                                                                                                                                   
    3 8.8.8.8                                                      timeout                                                                                                                                   
    4 10.157.214.244                             84  64 152ms304us host unreachable                                                                                                                          
    5 8.8.8.8                                                      timeout                                                                                                                                   
    6 8.8.8.8                                                      timeout                                                                                                                                   
    7 10.157.214.244                             84  64 673ms483us host unreachable                                                                                                                          
    8 8.8.8.8                                                      timeout                                                                                                                                   
    9 8.8.8.8                                                      timeout                                                                                                                                   
   10 10.157.214.244                             84  64 874ms297us host unreachable                                                                                                                         
   11 8.8.8.8                                                      timeout                                                                                                                                   
   12 8.8.8.8                                                      timeout                                                                                                                                   
   13 8.8.8.8                                                      timeout                                                                                                                                   
   14 10.157.214.244                             84  64 151ms369us host unreachable

dad2312 · July 28, 2023, 10:02am

Ta configuration n’est pas bonne

Le WAP (je considère qu’il n’a d’autre fonction que modem)

reset avec aucune configuration par défaut
tu configures un vlan “management” (ou le nom que tu veux ) sur ether1
tu configures ton APN avec passthrough sur ETHER1
tu configures un DHCP client sur l’interface vlan “management”
rien d’autres

Le HAP
Configuration telle qu’elle est avec les modifications suivantes
1 seul VLAN sur ether 1 “management” (ou le nom que tu veux) avec le même id configuré sur le WAP
ajouté le VLAN “management” dans ton bridge

Your configuration is not correct

The WAP (I consider that it has no other function than modem)

reset with no default configuration
you configure a “management” vlan (or the name you want) on ether1
you configure your APN with passthrough on ETHER1
you configure a DHCP client on the “management” vlan interface
nothing else

HAP
Configuration as it is with the following changes
1 single VLAN on ether 1 “management” (or the name you want) with the same id configured on the WAP
added the “management” VLAN in your bridge

holvoetn · July 28, 2023, 10:25am

@dad2312
please use English so everyone can follow. I changed your post.

normis · July 28, 2023, 10:28am

Forumā lūdzu visus sazināties angļu valodā, jo tā ir valoda, ko saprot lielākā daļa foruma biedru. Liels paldies visiem

holvoetn · July 28, 2023, 10:37am

Forage · July 28, 2023, 10:41am

Thank you for your reply @dad2312.

I’ve seen that setup in a different tutorial as well, but because the video shows it working with two vlan’s I figured that would be the recommended way.

I tried your suggestion with one exception: I replaced the net vlan with eth1 in the hAP’s WAN list. Otherwise NAT would be broken. The result is the same though. I get an IP address assigned from the provider to eth1 directly, but still no ping/internet.

Just in case I tried with adding eth1 to the LAN list on the wAP as well, but it did not make a difference.

Forage · July 28, 2023, 11:01am

I did notice, however, that obtaining an address from the provider is not always “stable”. Be it on eth1 directly or the net vlan. During all the config changes, resets and reboots it sometimes remained on “searching” for example. At first I thought I had to fix a passthrough mac address and that appeared to change it, but later on it worked without as well.
When stuck on obtaining an address a reboot of the hAP usually fixed it.

Could it be that the passthrough is somehow not happy with multiple interfaces (physical and vlan) having the same mac?

Forage · July 28, 2023, 1:18pm

By now I tried the following three combinations, each of them should be working, but none of them are on my devices:

vlan10-net for passthrough + vlan20-man for management
vlan20-man for management + eth1 for passthrough
vlan10-net for passthrough + eth1 for management

In all cases I get an IP address from the provider on the hAP through the wAP. In all cases ping is not working.

Does anyone have one of these combos working on ROS 7.10.2? Which ROS version are you using on the wAP side?
Is passthrough support also related to the modem in the wAP? I’ve got a HUAWEI ME909u-521 included.
If I do get an IP address, can we conclude that passthrough should be possible?

dad2312 · July 28, 2023, 8:15pm

you can keep your 2 vlan it works to
remember if your wap don’t have other function but modem it must not do the Nat (just passthrough IP)

exemple
WAP (reset with no configuration)
/interface lte
set [ find default-name=lte1 ] allow-roaming=no band=3,7 mtu=1480 network-mode=lte
/interface vlan
add interface=ether1 name=INTERNET vlan-id=3
add interface=ether1 name=MANAGEMENT vlan-id=2
/interface lte apn
set [ find default=yes ] apn=free ip-type=ipv4 passthrough-interface=INTERNET passthrough-mac=auto use-network-apn=no use-peer-dns=no
/ip dhcp-client
add interface=MANAGEMENT

HAP (default configuration)
with these changes :
/interface vlan
add interface=ether1 name=INTERNET vlan-id=3
add interface=ether1 name=MANAGEMENT vlan-id=2
/ip dhcp-client
add interface=INTERNET
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=INTERNET list=WAN
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge interface=MANAGEMENT

Forage · July 30, 2023, 3:11pm

Thanks again for your reply @dad2312.

This time, to make sure I didn’t overlook something, I did reset the wAP without a default config. Unfortunately I keep ending up with the same result. An IP Address from the provider but no internet that’s working. Pings keep timing out and the host remains unreachable.

Exports of both devices attached.
With such simple setups for the two of them I can’t shake the feeling that it’s more likely either a ROS version issue of modem compatibility.
With which ROS version and modem is it working for you guys?

EDIT
And just like that it looks like I have my answer: https://help.mikrotik.com/docs/display/ROS/Peripherals

My modem has “NO” for passthrough support…
Unless someone can say otherwise I guess I have to accept that not all modems work properly in passthrough mode and the “NO” here actually means it’s a no-go instead of a not-supported-but-possibly-working.
wAP_vlan+vlan.export.rsc (724 Bytes)
hAP_vlan+vlan.export.rsc (6.71 KB)

Forage · July 30, 2023, 4:03pm

The fact that passthrough is supposed to work for the ME909s-102 but not for the ME909u-521: does this happen to have anything to do with the at-chat subnet mask to /32 config, as described in the Mikrotik docs? If so, is it safe to try this for the ME909u-521 as well?

Amm0 · July 30, 2023, 5:30pm

Personally I’d avoid passthrough. LTE passthough only really helps if you have a “real” public IP. In most cases, LTE uses a CGNAT. And using Layer-3 routing is all that’s need to avoiding a double-NAT.

QuickSet may simpler. If you reset both WITH defaults, and in the QuickSet for each:

set IP to 192.168.88.2 for wAP and 192.168.88.3 for hAPax3
disable the DHCP server on the wAP but DHCP checked/enabled in QuickSet on hAPax3
set the Wi-Fi on the wAP to match SSID/password on hAPax3, so the wAP extend the Wi-Fi from hAPax3 a bit
hit “OK” in QuickSet
connect the wAP to ether2-5 on the hAPax3 (…or add ether1 as bridge port on hAPax via Bridge>“bridge”>Ports, so the PoE can power the wAP using ether1 bridge to LAN ).
then in webfig/winbox, on each router
if LTE is the only WAN, then hAPax3 only, add a default route to wAP in /ip/route for dst-address=0.0.0.0/0 and gateway=192.168.88.2.
set DNS server in /ip/dns to your preferred ones on both (since hAPax3 won’t have an dynamic DNS available)
(and other config like perhaps add /ip/cloud DDNS, Let’s Encrypt certs, queues, vlans, disable unused services/protocols, or perhaps BTH VPN if 7.11, etc.)

In this scheme it be trivial* to add VRRP which add some redundancy, that wouldn’t be possible with passthrough. And with a CGNAT, passthrough just adds more complexity and no redundancy.

e.g.

add a VRRP interface on both set to listen on bridge & set priority to 200 on the wAP, default priority on hAPax3
set the /ip/address of VRRP on both to 192.168.88.1**/32**
enable DHCP server on both routers with the gateway set to 192.168.88.1 and listening on the VRRP interface (instead of bridge)
add VRRP interface to the LAN interface-list in /interface/list/member

Amm0 · July 31, 2023, 7:13pm

I’d still recommend just not using passthrough, but…
I’m not sure I 100% trust that – although your results do seem to indicate that’s right… [Mikrotik isn’t super pro-active about updating it…]
What modem do you have? Some support a few modes (e.g. MBIM or “IPDirect”/CDC-Ethernet) so the table MAY refer to V6 or one mode or another where it doesn’t work…

Forage · July 31, 2023, 9:50pm

I’ve got a HUAWEI ME909u-521. The page tells me passthrough is not supported, but I find that a little bit odd when it does work for the similar ME909s-102.

Thank you for providing an alternative config.
In fact, I’ve got a very similar config running with the wAP together with a hAP ac for a couple if years now. At the time passthrough wasn’t available yet. I’m now replacing the hAP ac with the ax3 and I wanted to take the opportunity to switch to passthrough because it allows simplifying and centralising things a bit.
The older hAP ac will remain active as a simple access point connected to the ax3.

I’ve got things up and running now with the new setup together with the old config, like you suggested. Though I would be interested to learn if and why passthrough really isn’t an option.

Amm0 · July 31, 2023, 10:13pm

I don’t have the spec/AT commands for the ME909u. But I recall the ME909u worked in V6 as LTE, so it’s IPDirect/CDC-ethernet. My only guess is passthrough should work on all/most modems in MBIM mode, and your modem is in the IPDirect/CDC-ethernet mode which was spotty on passthrough support (e.g. IPDirect with passthrough works only on R11e-LTExxx things if I recall).

Since that modem isn’t particular fast, the wAP doing the WAN routing/NAT likely isn’t an issue…since speeds cannot be that high on the ME909u… If you had some high category modem, that’s doing hundreds of MBs in speed, in an older wAP…yeah passthrough to a much faster router like hAPax3 have more benefit. Otherwise, just bridging the wAP and having hAP route to it is kinda easyier, and safer since agree the docs have a “N” – likely for some reason…

One note… is the hAPax3 has a USB port … so you might be able to find a cheap/modern hotspot (that may be faster than the older ME909u) and plug that directly in the hAPax3 to get LTE directly there…