!@#$%^ networking !#$#%
No, I have NO FSCKING IDEA why my linux-based router won't route packets from the DMZ port to anywhere else. I'm guessing it's some piece of Shorewall misconfiguration that's been lingering around since the last time I tried banging my head against this particular problem.
However, my head is very damned sore now, and it at least continues to route from the internal network, so I was able to put the wireless router there where it used to be. At least it works now, even if it isn't as secure as I would like it to be. What's more, the WAP now seems willing to route to the internal network (it had damned-well better, since it's a host on it), so users of my internal web pages should be happy now.
I'm not happy. But it's less broken than it's been for several months, so I'm going to move on for now.
Note to self: any hostnames used in the firewall rules had better be in /etc/hosts, because you can't get to any DNS servers while the firewall is busy configuring itself.
Duh! It helps to enable masquerading for the interface. It helps to read the useful comment I left for myself in /etc/shorewall/masq. It would help even more if that solved the whole problem: it still doesn't route to the internal network. Grump.