I think you are correct. Problem with that is CradlePoints with private ip on their inside, the MX Headend would never be able to connect to that outside of the tunnel which is what is happening, even if I allowed that traffic he wouldn`t know where to go. Checking with Support now, should be able to block this traffic maybe on the headend
... View more