One thing always good to remember is that in the overlay network all services can access each other automatically. I mean that it does not matter whether they are running on same node, on different nodes or even in different data centres. And you don't need to expose the ports of the applications, within the overlay any open port can be accessed. That's what makes it so powerful.
If you really need to pin certain services only for certain nodes, you can do it with affinity rules:
Again, for WP sites to access MySQL, you do NOT need to expose any ports. Unless you want the MySQL to be accessible from outside world (outside of the Kontena grid) also. Also, regardless where MySQL is running, the WP services can connect to it using the overlay network automatically.
That would mean running the loadbalancer on the WAN node(s), link multiple WP stacks into the same LB service with different domains. And as you said, have the external DNS configured so that it points to the WAN IPs. One thing, again, to pojnt out is that you do NOT need to run the WP services on WAN nodes specifically. LB will proxy the traffic over the overlay network and thus proxy it to all WP instances running on any nodes.
Here's one simplified example:
daemon strategy and affinity rule to deploy LB on ALL WAN nodes. To tell Kontena a node is a WAN node use
kontena node label add node-1 wan for all WAN nodes. Now when you hit LB external IP with
site-a.example.com, you'd get nginx test page. With
site-b... you'll get Apache test page.
I'll make sure some of our biz folks looks at this and we'll get back to you on this topic.