Best Placement of a Brume 2 or Beryl AX to achieve the Desired Use Case?

I've used the search engine, but didn't find anything quite on point (but did learn a few bits of wisdom that reveal that Google WiFi isn't the most friendly device.). I was writing because I have two use cases I'd like to achieve using either a Brume 2 or Beryl AX on my home network setup - I understand they are similar apart from WiFi capability and I have one of each to use for this. As background, my current setup consists of my FiOS ONT WAN cable directly connected to the Google WiFi router that is the entry-point for the Mesh. No modem needed and everything works just fine. The two desired capabilities I want to achieve are as follows:

1. Whole Home VPN Encrypted Network: I have Proton VPN and would like for my entire Mesh network to benefit from it, included devices (TV, etc.) where the client can't be installed. The Google WiFi router lacks the ability to configue a VPN (but it at least has some features that may be necessary for what I want to do, including custom DNS, DHCP reservations, and the like.

2. Ability to Remote to Home Internet: When travelling, we'd like to be able to use a Beryl AX or other router to remote back to our home internet from the Hotel WiFi. We have no need to connect to other devices on the home network except for a Synology NAS DS918+.

Given the two use cases, where would placement of the Brume 2 or Beryl AX be best done, and which would be the more appropriate device for this? If I place one "in front" of the Google WiFi router, I'd get full VPN encryption, but there would be a double NAT situation (unless I put it into bridge mode and let the connection passthrough to the Google router to handle all DHCP assignments, correct?). BUT... I'm not sure whether either can operate in bridge mode and (i) still pass the encrypted VPN client connection forward toward the Google Mesh and (ii) allow me, when tunneling in using the separate VPN server that I'd have to setup, to be able to access the Synology NAS, correct?

I realize I may be mixing up a lot of concepts and really demonstrating my ignorance here, so any insight on how the above may be achieved would be extremely appreciated. Thanks so much in advance!

It is very simple really and I use a very similar setup albeit with a Deco (rather than a Google mesh). All you need is to set your network up in the way you have already described but let your GL.iNET do all the NATing and VPNing and set your mesh system in ACESS POINT mode to function as a dumb WiFi radio for your home network. Use your second GL.iNET router for your travels (you may need to set a VPN policy up to allow your remote router to access your home one if proton VPN client is always active - or even easier by just using Tailscale) and Bob's your uncle.

Agreed. I'd also turn the Google unit into a straight up AP. Use a Beryl AX for the travel router, a Flint v2 (GL-MT6000) as the primary ingress. I specifically say Flint v2 because, while at first glance the Flint v3 (GL-BE9300) may have better OpenVPN-DCO performance the Flint v2 is fully supported by 'pure'/'vanilla' OpenWrt Linux. Note OVPN isn't as straightfoward to set up as as VPN using WireGuard.

(Side note: TailScale is a WG-base VPN SDN so WG preformance matters here too.)

If you ever find yourself needing to get into some really crazy/advanced network design flashing pure OWRT is going to give you a far better chance than the Flint v3 & its reliance on the proprietary SDK by Qualcomm.

To your concern re: double NATing. It's a clear 'mark of shame' for a sysadmin/net eng to engage in it but it's really not much of a big deal if the primary reason is in a SOHO env to get mesh-connected clients out to the WAN with their silly little tablets & phones. It just adds a few dozen ms of latency; It's hardly noticeable compared to Netflix or Youtube buffering.

The Beryl AX also supports pure OWRT, BTW.

I thought exactly the same, but the problem I foresee here is what I linked to in my initial post. This post reveals that Google WIFI needs to remain as the device provisioning DHCP leases or else the mesh network starts to fall apart!

I did read somewhere, and I'll have to search for the link, but someone was apparently able to install the Brume 2 as just another device attached to the Google WIFI router -- as an aside, am I correct that this would means the Brume 2 is "behind" the Google router? -- but then used some crafty portforwarding or drop-in gateway magic(?) to (1) allow the Google Router to to continue to control DHCP assignments but somehow still route traffic from all devices attached to the router through the Brume 2 to take advantage of it. I didn't quite understand it, but does that sound like something that is even possible? It seemed counterintuitive to my visceral thinking that traffic is routed forward and not somehow backward, which is why I assume that I'd have to place the Brume 2 or Beryl before the Google Router so it passes through that device and gets encrypted before it hits the router.

Does that make sense?

As I posted to Lastimosa, it seems that the Google unit can't be an AP or else the mesh network it creates falls apart sadly. So somehow I need to keep the Google router as the assigner of the DHCP leases but yet still get the traffic to pipe through through Brume 2 or Beryl AX. I notice you mentiond Flint routers, but I'd really like to avoid buying yet another product since I have both of the above.

Maybe some threshold questions are in order:

1. Can a Brume 2/Beryl be set to bridge mode and still pass VPN-client-configured traffic to and from the Google Router? If so, then maybe it just makes sense to use one of these device strictly for that purpose and then use another attached to mesh network and serve as the VPN server I'll remote into. It would be a shame that I couldn't pull this off with one device, but if it must require two, so be it.

2. In your comments on Double NATing: I'm glad to hear its not catastrophic, but will it pose problems for me being able to access the admin panels of the Gl-iNEt product if it is placed as the first "ingress" point (again, trying to see if I'm using the correct terminology, please correct if wrong)?

Thank you all so, so much for your help!

That is a real bummer then.

My experience with Drop-in-Gateway is that it will probably create more problems than it would solve and although it may work to an extent (no harm in trying if you wish, I guess), I think double NATing would probably be a much less problematic situation, as @9b9e69c2-4b75-4420 has also suggested. The only problem I would envisage is accessing your home internet from outside once you are in double NAT situation and also with a VPN client and tunnel being on as well (you will be able to reach the google nest router using things like Tailscale, VPN policy and portfowarding but not sure than you will be able to reach beyond). Best of luck and keep us posted.

Using a VPN gateway is going to require routing to shunt the traffic to where it needs to be so I don't think 'bridged mode' or 'drop in gateway' is going to do much other than cause you problems. I'm thinking in the concept of 'layers' more than anything.

I'd go WAN -> Burme [0] -> Google [1]. That's double NAT'd but if you put your NAS on Network No. 0, you'll be able to remotely connect/VPN into it when travelling. Network No. 1 can just act as the mesh to serve mobile clients.

'Ingress' works, especially in the case of discussing VPN access into your LAN from a remote site somewhere out on the WAN/Internet.

If your device is on Network No. 0, GL.iNet default of 192.168.8.0/24, you won't have any problems. 192.168.8.1 is the GL GUI address. Note the Burme v2 only has a couple ports: WAN, LAN. That's another reason to go with something like another Flint v2 as the primary router: more Ethernet ports... the extra Wi-Fi capabilities don't hurt. The 2.5 GbE ports would be great for the NAS.

If you were on Network No. 1 trying to access the GL.iNet GUI on Network No. 0, you'd have to do some port forward finagling to pass that traffic thru that 'inner' net (relative to the 'outside' that is the WAN) but that all comes down to the capabilities of the Google device.

Bear in mind double NAT'd would mean all the clients in Network No. 1 will be shunted thru the VPN of Network No. 0 when accessing the WAN... there will be no ability to white/blacklist client devices from using it or specific VPN endpoint or otherwise. It's all or nothing.

But it all depends on what you need it to do.

Now, all that said it behooves me to mention this: GL.iNet recently announced they intend to produce a Burme v3. I mention this because it is to potentially feature three (3) Ethernet ports: WAN, 2.5 GbE, 2.5 GbE versues the Burme v2's two (WAN, 2.5 GbE — see below). A final design has not been stated so to think it would be released to production would be premature ATM to say the least. I only mention this because I wouldn't want to buy a Burme v2, with only one 2.5 GbE port for the LAN available, knowing a Burme v3 may well end up providing two (WAN, (2) 2.5GbE). If there's anything on your NAS you need to access while travelling you'll want that on Network No. 0 which means two LAN ports; one for the mesh. Either way expect the need to set up some port forwarding/firewall rules on the Google device. That device's capabilies is the real variable in all this.

burme_v2_-_mt2500_main412×331 101 KB

So I'm a bit of an idiot. Rather than going on about the Burme v2's lack of LAN ports an option is to connect that sole 2.5 GbE to a basic 'dumb' switch (read: not a 'managed' switch) to expand it. 4 & 5 port 1 GbE switchs go for as little as 10.00USD on Amazon. 2.5 GbE & 5.0 GbE are more but not unreasonably so.

Then the NAS can sit in Network No. 0.

1_d0eacc1f-5097-4908-955a-333c6527d2f1345×233 16.8 KB

Thank you so much for your help and thoughtfulness! I thought to create a flow chart diagram of the proposed arrangement using what you've explained, with the only change being the renaming of "Network 0" and "Network 1", to "Network A" and "Network B", respectively.

Proposed Network Setup|690x377

As the diagram shows, Network B is my current set up, and you propose the insertion of Network A. My current network has a single intranet(?) IP range of "192.168.86.*". From your explanation, it sounds like the following would be true with this setup:

• The NAS could be accessed remotely by tunneling to the VPN server directly setup on Network A.

• All other devices that connect wirelessly will be connected to Network B, along with the various devices that are connected via ethernet cable. (As our house was fortunately built with ethernet runs to various rooms, I put an unmanaged switch after the Google Router to make use of the hardwiring and to also allow for a hardwired backhaul of the Google points in the house.)

• All devices on Network A and B would be subject to the VPN client encryption on the Brume/Beryl AX used in Network A. There would be no split tunneling available.

Some questions regarding this setup:

1. Are my statements above correct?

2. You mention I'd need portforwarding on the Google Router to the Brume/Beryl in Network A. What ports would I need to forward? And is there any danger in doing so or will the Brume/Beryl provide safety from those ports being open to the internet?

3. I am starting to feel like the Beryl AX may be more useful here than the Brume 2 since both can run simultanous VPN server and clients and with the Beryl AX I could broadcast a hidden SSID and connect directly to it with a device to access it's GUI and presumably skip the port forwarding altogether. Or will I need to portforward regardless for proper functionality? Is there any advantage of using a Brume 2 over the Beryl AX that you or anyone can think of?

4. How would devices on Network B reach the NAS on Network A?

Thanks to you and everyone for your help with this!

I have Imgur blocked; it is a web site known to be privacy invasive. You can directly embed images into your post using the 'upload' next to the 'bullet point' formatting icon on toolbar when composing.

You might find draw.io to be of interest. It's also available as an offline installed application depending on your OS.

Provided the GL device's LAN port limitations are kept in mind it seems ideal. You may need to grab a switch to expand out Network A's LAN.

The Burme v2 (GL-MT2500 is, as advertised in a stock configuration by GL.iNet, 55 Mbps faster over WireGuard than the Beryl AX (GL-MT3000). Both devices support 'pure' OWRT should that day come &/or/when GL.iNet ceases support/firmware updates.

You're correct; just jumping onto a SSID to manage the GL GUI is a helluva lot easier than bothering to set up port forwarding from within Network B to reach out to a Burme v2 on Network A but...

If you want Network B clients to access Network A's NAS you'll need to set some sort of port forwarding on Network B's Google gear. The specific ports are dependent on what services/daemons you have running on your NAS that you'd like to expose to Network B. There is no risk in port forwarding Network B -> Network A as that's only occurring on the second/'inner' NAT. Network A still filters the WAN on that device's (the 'outer'/primary/absolutely-must-be-in-place-or-omg-wtf-are-you-doing-staph-it-now-you-fool) NAT & firewall.

Keep in mind both only have one GbE available for the LAN. I'd recommend a 2.5 GbE or better dumb switch for the NAS if said NAS supports 2.5 GbE.

Unsolicited advice: Most, if not all, retailers have a 30 day return policy (eg: AMZN). I'd grab a Burme v2, a switch & set that up. If you find the port forwarding can't be done (eg: GL GUI if not NAS access) I'd exchange it for a Beryl AX... if not a Flint v2 (I really like the Flint v2!).

Thanks for your detailed response and above-and-beyond effort to help!

I have Imgur blocked; it is a web site known to be privacy invasive. You can directly embed images into your post using the 'upload' next to the 'bullet point' formatting icon on toolbar when composing.

I edited the prior post to embed a link to my flow chart diagram. Thanks for introducing me to draw.io - however, I spent time using Lucid Chart to make what I've added above, so next time!

Provided the GL device's LAN port limitations are kept in mind it seems ideal. You may need to grab a switch to expand out Network A's LAN.

Are the limitations you are referring to above solely about the number of ports? It is a shame that the Brume 2 has no additional ports. Is 55 Mbps a meaningful speed difference? I'm embarrassed to say I'm not truly sure. In any event, it seems like the Brume 2 will be what I go with. I am really and royally peeved that Google's Mesh requires that the Google router maintain control of DHCP leasing - had this not been the case, I think running the Brume 2 as another device on Network B in the diagram with a drop-in gateway would have so elegantly solved the issue. That's what I get for buying Google, but I really didn't know any better. I had such a hellish time trying to setup of a mesh with ASUS routers I had flashed back from gimped T-Mobile hotspots ($60 for three AC68Us was a damned good deal I thought) and loaded up with Merlin's latest firmware, I just wanted something that was simple (and, as I now know, feature-poor). Hopefully, this thread helps future people in my situation - do NOT buy Google WiFi products! I'm waiting for when they force these into obsolescence like they did with the first version of their WiFi offering by simply disabling them from the Google Home app. Simply unconscionable, but I digress...

You're correct; just jumping onto a SSID to manage the GL GUI is a helluva lot easier than bothering to set up port forwarding from within Network B to reach out to a Burme v2 on Network A but...
If you want Network B clients to access Network A's NAS you'll need to set some sort of port forwarding on Network B's Google gear. The specific ports are dependent on what services/daemons you have running on your NAS that you'd like to expose to Network B. There is no risk in port forwarding Network B -> Network A as that's only occurring on the second/'inner' NAT. Network A still filters the WAN on that device's (the 'outer'/primary/absolutely-must-be-in-place-or-omg-wtf-are-you-doing-staph-it-now-you-fool) NAT & firewall.

This is an excellent point. I will most definitely want access to the NAS on Network A from devices attached to Network B (and will need to figure out what ports to forward). And thank you for confirming (in a very hilarious way, I might add!) that I am still protected from the big bad internet when port-forwarding from Network B to A, which now makes sense and is a silly question in retrospect, given that Network A would provide all the protection any router would even if a Network B didn't exist!

Unsolicited advice: Most, if not all, retailers have a 30 day return policy (eg: AMZN). I'd grab a Burme v2, a switch & set that up. If you find the port forwarding can't be done (eg: GL GUI if not NAS access) I'd exchange it for a Beryl AX... if not a Flint v2 (I really like the Flint v2!).

I actually purchased the 2 Beryl AXs and a Brume 2 (the aluminum one) a bit more than a month ago from GL-iNET directly since they had a nice promo, so I'm "stuck" with them. Given how exciting this all is -- I'm sensing a new "hobby" here --I'm sure I'll find some use for all 3. One will be a travel router for sure, the Brume 2 will be my Network A router and the remaining Beryl AX might just be something to tinker with in learning how to make subnets and adjacent LANs and all that fun stuff. I might even permanently put it at the parents' house so I can tunnel home without lugging a router around when visiting.

Last couple questions (at the risk of wearing out my welcome):

1. Is there any way at all in this setup to allow for split tunneling such that I could preserve the ability to control which of my devices on Network B gets the VPN from Network A and which can go through without encryption? I know you mentioned that this would likely not be possible, but I'm wondering if there is some adjustment that could be made -- perhaps some fancy split tunneling to done on the Brume 2 with fancy port-forwarding on the Google Router create two "paths", for lack of a better word? Or perhaps a slight hardware rearrangement. I'm envisioning a scenario where there may be a need to simply not have encryption for whatever reason (perhaps a pesky site like a bank that simply won't allow log-ins, or what have you). Again, if Google played nicely with ceding DHCP control, I think a drop-in gateway may have done the trick.

THANK YOU so much for your help!

Correct. The Beryl AX has the same limitation. A switch takes care of that.

A 4K stream on Netflix is ~15 Mbps/client. A commercial VPN provider (eg: Mullvad, Proton) is typically cap'd to 1 Gbps bi-directional. A private WG-based VPN (eg: so you can remote back in while on holiday) is limited the the upload rate of your ISP. Make of that what you will.

Don't beat yourself up. We all started somewhere & your expectations, goals now outstrip the 'convenience' provided by 'appliance vendors' & their associated abstractions (read: limitations). With your GL devices you now have the option to 'pop the hood'.

"Stuck!" LOL!

I've said it once & I'll say it again: OWRT is a helluva gateway drug.

I'd suggest flashing pure OWRT on second Beryl AX (critical note: only the the 'sysupgrade' tagged imaged). That way you can see, test the difference between GL's customization & experiment with 'unfettered' OWRT. I say that because I run GL firmware when travelling with my Slate AX travel router but flash back to pure OWRT when I'm stationary/at home.

Unless the Google devices can be flipped into a simple AP mode or the client device is already on Network A, usually no. Any traffic from Network B is going be seen as one source based on the MAC of the Google device. One way to theoretically get around that could be to just put every client device on a WG VPN & then use those WG IPs for GL GUI's PBR ('policy based routing') but even if able to be done that's going to considerably impact all client's bandwidth performance (eg: Burme v2: 2.5 Gbps v 355 Mbps). So technically yes but.... you're gonna feel some considerable pain. I wouldn't bother doing it unless you just care about getting < dings > to you phone(s) rather than heavy surfing/streaming.

EDIT: based on your diagram all you'd have to do is drop the 'Google Wi-Fi router' behind the switch provided the overall cable runs aren't an issue:

double_nat_by_google.drawio791×661 55.6 KB

One thing I might suggest as an experiment is to take your second Beryl AX & flip it into AP mode, downstream from the Burme v2. Flip its TX/RX power output to max & see how its range, quality compares to the Google set up.

To go a step further it's not impossible to build your own mesh network on pure OWRT + approp. harware/antennas but that's all dependent on environmental conditions like the building's construction, overall footage, etc. Then you can sell the Google gear on a second hand market to who just want that 'appliance' approach to networking.

I was going to wait for the Brume 3, but I figured I might as well set up one now, and when that comes out, I'll get that and move this to another location/house. Anyway, I have yet to set this up, as it is not detected on the LAN and cannot be configured if you are using it as a drop-in device. However, it looks like I will have to put my VZ router in bridge mode, connect the Brume 2, and then I have a switch where I will connect my Mesh and a second switch where other devices are connected. Is that the best physical and logical setup?