I understand the VPN portion needing internet, just not clear on how I can do that with a mock WAN1 MPLS in a lab environment where WAN2 at hub and spoke have actual internet access.
And I've tried with the Cradlepoints with many different configs via ECM to no avail. Do you have your CP IPs set to static by the provider?
Also, if you do the manual NAT, seems you are limited to only one per device, what if you have two WAN VPN devices that need manual NAT?
Also, I found a work around for getting internet access on WANs 1 and 2 on both MX-65s with just two 4G Novatels. Each Novatel has three LAN ports. So I connected both Novatels to each MX65 in a crisscross pattern so that each WAN on a MX65 has a unique public IP.