Connect VPN over 4G if WAN fails, but not route any other traffic

keyser

Hi

I'm looking into setting up a 4G secondary connection on some of my remote pfSense boxes. Not to failover WAN or provide Internet for clients. It is only for remote access/diagnostics IF the primary WAN fails.

So in a perfect world it would be a 4G connection that comes up IF the WAN fails, but NO client traffic is routed that way. It only makes a VPN connection to "home" so I can login and administer the box. The 4G connection will likely be behind a CGNAT, so I have no way to just use DynDNS and access it that way.

Any creative minds in here that could create a configuration that resembles this behaviour?

Would I just create a client OpenVPN connection using the 4G WAN connection, and leave all the standard rules to use the default IPv4 gateway only? How do I trigger the OpenVPN client config to only fire when WAN is down?

viragomann

@keyser
Why don't you want the VPN to stay up all the time?

I'm thinking of a gateway failover group, which is only used by the OpenVPN client. So you leave your primary gateway as default, hence your internal devices will never use the 4G.
But in the OpenVPN client you select the gateway group as outgoing interface.
So the VPN stays up all the time, but only uses the 4G if the primary WAN is offline.

keyser

@viragomann said in Connect VPN over 4G if WAN fails, but not route any other traffic:

@keyser
Why don't you want the VPN to stay up all the time?

I'm thinking of a gateway failover group, which is only used by the OpenVPN client. So you leave your primary gateway as default, hence your internal devices will never use the 4G.
But in the OpenVPN client you select the gateway group as outgoing interface.
So the VPN stays up all the time, but only uses the 4G if the primary WAN is offline.

I have no experience using multiple WAN and gateway groups in pfSense, so that’s why I asked the question rather “dumbed down”.

Would a Gateway group and config like that solve this issue without using much/any data on the 4G link unless WAN has failed (Even though the 4G is always up)?
Data subscriptions are insanely expensive here, so I need to manage that :-)

viragomann

@keyser
The only traffic on the secondary would be the pings of gateway monitoring, while the primary is up. It's possible to disable it, but I'm not sure if the gateway group is still working then.

If you really want to shut down the 4G interface completely and start it up when the primary goes down, you might have to modify some scripts.

keyser

@viragomann said in Connect VPN over 4G if WAN fails, but not route any other traffic:

@keyser
The only traffic on the secondary would be the pings of gateway monitoring, while the primary is up. It's possible to disable it, but I'm not sure if the gateway group is still working then.

If you really want to shut down the 4G interface completely and start it up when the primary goes down, you might have to modify some scripts.

Okay, cool. That should not amount to much traffic.
I’ll see if I can get a 4G Sierra card and test it in my SG-2100