Adventures in Triple NAT (help me!)

Hello forum friends,

I am the happy owner of a new Mango GL-MT300N-V2

Here’s my topology

Questions might arise as to what the hell I am doing…

  1. I have 6 Google Wifi pucks - they are fantastic at mesh wifi everywhere - but they have no VPN
  2. I want to check I can set up a network to do what I want
    a) VPN for everything
    b) Apart from Netflix because they don’t allow it

I am

  1. Uploading the new version of firmware (test) as it has VPN policies so I can just exclude netflix from the VPN traffic
  2. Triple NAT is a pain in the arse, but I can set up traversal port mapping rules in each router

Is there are better way (to achieve this, with this kit)
What do I need to do so that I can resolve the Cable Modem admin interface (in network) from the Google Wifi network ( network)

Very impressed with the Mango so far

(Code for the diagram in case I need it…)
cloud internet as INT
folder “Cable Modem DHCP ( / 24)”{
interface “Gateway (” as BGW
interface “Mango (” as MGIP
folder “Mango DHCP ( / 24)”{
interface “Gateway (” as MNGW
interface “VPN TUN (” as VPN
interface “GoogleWifi (” as GIP
folder “GoogleWifi DHCP (” {
interface “Gateway (” as GGW
component Netflix
component “Everything else”

Why are you doing an extra layer of NAT/DHCP at the Google WiFi? Can’t you just run those devices as part of the Mango’s LAN network? (i.e. use them as APs instead of routers) Since the Mango is doing all the traffic control/routing anyway, I don’t see the purpose in the “third NAT” layer?..

EDIT: Apparently when you switch the Google Wifi to AP only you loose mesh abilities… which seems pretty absurd to me but hey, I’m not Google who wants to be able to intercept and steal all your data for my advertising purposes ;o) So sounds like you’re kinda stuck with the horrible setup you have.

If you were to remove that then you’re in the “Double NAT” setup that a large number of people end up with these days (except for those lucky enough to be able to actually bridge their modems rather than just NAT through it). In that kind of case, a simple static lease + DMZ on the modem to the Mango makes that first NAT transparent, and you are left with at least a reasonably manageable setup as you only ever need to worry/think about one firewall (the Mango itself).

Hey @joloius thanks for replying; yeah you’ve got it exactly right. I’m not saying I don’t regret buying the Google Wifi kit. It does a job, but it’s pretty awful for privacy.

But… any idea to but the G monster back in its box a bit? I think the firewall rules at least ought to be simple - they just elude my primitive brain

Assuming that it establishes a “phone home” channel (which I assume that it does), there’s virtually nothing you can do to protect it from recording and reporting everything that passes through it. Google certainly knows that you can’t block all of the Google servers (so an IP-based block won’t help) and, I assume will have alternate approaches if you find the protocol they’re using and block it (for example, blocking ESP).

Wireshark would be my tool of choice to figure how how it phones home.

Ok - that’s not really my goal here; after all how do I know that the GL hardware hasn’t compromised me.

Let’s all confidently assume we are root’d by nation state actors.

As a hobby project can I route some traffic via a VPN and some other traffic not via the VPN?

Can I also route to the primary “enclave” from the tertiary “enclave” network?

(I just want some dnsmasq tips basically, I know I can’t beat the NSA)

Ok its all working very nicely now; VPN policies are a beauty - just the niggle of accessing resources in the outer network ( from the inner network (

Here I have no idea - any suggestions?!

static routes – the problem is likely that the return packets from your outer network try to go by your default gateway rather than via