Cellular Failover Internet Connection

tman222

Hi all,

I'm looking at adding a cellular (e.g. 4G LTE) connection as a failover internet connection to pfSense in case my primary connection goes down. While my primary internet connection (fiber) is very reliable, I do depend on the connection for work and as such would like to have a backup if / when needed. I do realize that I could just buy an entry level cable internet plan, but I thought that cellular might be cheaper on a month to month basis with a "pay as you" go data plan. Does this sound like a reasonable idea? For those that do use a cellular connection or backup connection with pfSense, what equipment (modem, etc.) and provider do you use? Thanks in advance for your help, I really appreciate it.

akuma1x

Provider is going to depend entirely on who services your area. I would probably go with best signal and lowest "pay as you go" plan.

What connection speeds are you seeing on fiber right now? You should be careful, if you've got a very high 100MB plus speeds, switching to an average 4G LTE plan might be painful for your users. Is this for a home connection, or office work group?

You can get a 4G modem that connects to your pfsense box thru an available ethernet interface.

Cradlepoint makes some. Here's some examples of new hardware:
https://cradlepoint.com/products/cradlepoint-arc-cba550
https://cradlepoint.com/products/arc-cba850

Netgear also makes some LTE modems, examples of new:
https://www.amazon.com/NETGEAR-LTE-Modem-Broadband-Connection/dp/B01N5ASNTE
https://www.amazon.com/NETGEAR-Modem-Gigabit-Ethernet-Ports/dp/B01MQRHQYT
https://www.amazon.com/Netgear-Nighthawk-MR1100-GSM-Unlocked/dp/B07G5KWZ3H

Jeff

tman222

@akuma1x said in Cellular Failover Internet Connection:

Provider is going to depend entirely on who services your area. I would probably go with best signal and lowest "pay as you go" plan.

What connection speeds are you seeing on fiber right now? You should be careful, if you've got a very high 100MB plus speeds, switching to an average 4G LTE plan might be painful for your users. Is this for a home connection, or office work group?

You can get a 4G modem that connects to your pfsense box thru an available ethernet interface.

Cradlepoint makes some. Here's some examples of new hardware:
https://cradlepoint.com/products/cradlepoint-arc-cba550
https://cradlepoint.com/products/arc-cba850

Netgear also makes some LTE modems, examples of new:
https://www.amazon.com/NETGEAR-LTE-Modem-Broadband-Connection/dp/B01N5ASNTE
https://www.amazon.com/NETGEAR-Modem-Gigabit-Ethernet-Ports/dp/B01MQRHQYT
https://www.amazon.com/Netgear-Nighthawk-MR1100-GSM-Unlocked/dp/B07G5KWZ3H

Jeff

Thanks @akuma1x - the purpose for this would fail-over for a home office (so not a large number of users or massive bandwidth requirements). I'm thinking of trying the Netgear LB1121 PoE unit as I have a spare 802.3at PoE injector lying around, and having some flexibility in model placement may help in terms of achieving better signal levels:

https://www.amazon.com/NETGEAR-Modem-Gigabit-Ethernet-Ports/dp/B01MQRHQW4?th=1
https://kb.netgear.com/000048426/LB1111-and-LB1121-PoE-Port-Information

Now just need to figure out what provider to use. What does everyone recommend for a good "pay as you go" cellular data provider?

Thanks again.

tman222

Looks like Ting Mobile is a good option from a pricing model / coverage perspective - does anyone have any experience with them? Thanks again.

https://ting.com/rates

akuma1x

Do you currently have a good data plan (unlimited or relatively low cost) with a cellular provider on your own mobile phone?

If so, one of these boxes (or similar), tethered to your cell phone, and connected thru ethernet to your pfsense box would work in a pinch. Minimal investment...

https://www.amazon.com/GL-iNet-GL-AR750-300Mbps-pre-Installed-Included/dp/B07712LKJM

So, like I said, you can tether to your phone. I do this with my iPhone to get internet. Then you connect the LAN port of this box to your pfsense WAN port and reconfigure accordingly. BAM, backup 4G WAN connection!

Jeff

tman222

Thanks @akuma1x - I really appreciate the help. I"m thinking I might still go with something like the Netgear LB1121 and pay as you go data plan so that the fail-over can happen pretty instantly.

I have a couple more related questions that I wasn't quite sure on as I was thinking about this type of setup:

1. The Netgear LTE modems support bridge mode which would pass the external IP address of the cellular connection to the second (fail-over) WAN interface on my pfSense box. I'm planning on enabling that. In that case, how does one access the LTE modem's configuration interface which will have an RFC 1918 IP address (e.g. let's say 192.168.1.1). Do I have to setup a static route in pfSense? Or is there a simpler way I'm not thinking of?

2. With a second, fail-over WAN connection is it possible to limit which clients will have access to it? Assuming I was using a firewall Alias for those allowed clients, how would one setup the firewall rule?

Thanks again for all your help, I really appreciate it.

chpalmer

Generally US carriers are behind commercial grade NAT. Don't expect a public IP address..

My Cradlepoint does bridge mode and still responds to its LAN address much like a cable modem does.

YMMV with other devices.

tman222

@chpalmer said in Cellular Failover Internet Connection:

Generally US carriers are behind commercial grade NAT. Don't expect a public IP address..

My Cradlepoint does bridge mode and still responds to its LAN address much like a cable modem does.

YMMV with other devices.

Thanks @chpalmer. How does that work exactly then if the interface that the modem is connected to has a Commercial Grade NAT or Public WAN address? How are you still able to access it over its LAN address? Does it add a separate routing table entry when bridge mode? Thanks again.

chpalmer

@tman222

I imagine that much like any other "bridge" type device.. WIFI AP, cable modem, ect.. that the device simply listens for traffic and answers when interrogated.. Even DSL modems in bridgemode are usually reachable on their interface port.. until you set up the PPPoe tunnel.. The tunnel is what makes them unreachable and causes the need for the extra route.

Commercial grade NAT is just NAT. But apparently on steroids.. But figure it like any other NAT. You won't be able to access the WAN address of your firewall from outside your network. No incoming VPN connections ect.. Outgoing VPN such as OpenVPN clients will work though from inside your network..

stephenw10

Same as this: https://docs.netgate.com/pfsense/en/latest/interfaces/accessing-modem-from-inside-firewall.html

Steve

tman222

@stephenw10 said in Cellular Failover Internet Connection:

Same as this: https://docs.netgate.com/pfsense/en/latest/interfaces/accessing-modem-from-inside-firewall.html

Steve

Thanks @stephenw10 - this is very helpful! Next time, I'll be sure to check the documentation first. :)

Raffi_

@tman222 I am currently still in the process of setting up a decent 4G LTE backup connection. I went through a LOT of trial and error and have learned a bit about it. The Netgear LB1121 should work great for your setup, but do your homework. I purchased an LB1120, which I then wished had POE. In my scenario though, it turned out that even if I had POE, it wouldn't have made much difference. In my case, the signal strength was not the issue. The T-Mobile 4G network I was connecting to was not providing decent enough bandwidth in my area even with full 5 bars which I was testing from my phone.

I would highly recommend doing a site survey before investing in any hardware. This is where I personally went wrong. I figured 4G MUST be able to provide at least around 10 Mbps. At first it did, but now I can't get anything decent from it regardless of signal strength. After testing with all 4 of the major carriers, 3 out of the 4 could barely provide 2 Mbps in our building even with decent signal. Use an app like Network Cell info lite on android or something similar on Iphone for a quantitative measure of signal strength. Figure out if you have a decent signal and run a speed test to see if it would be sufficient. At the end of the day the speed and latency is really what matters. In my specific area, it turns out Sprint is the only one that did provide a decent enough speed during my testing (even with only 1 bar). The LB1120 and 1121 does not support Sprint's network. So I had to basically scrap the Netgear and look into an alternative which for me is still a work in progress. Once I get it up and running I will be posting my solution in case someone else is looking into doing the same at a low cost.

As for Ting, I never used it but I think all MVNO's should be decent. I'm currently on Tello since they offer really low cost Sprint data options. The real question is what network does the operator run on and is that network providing good enough speed for you?

If you already have Google Fi and good T-Mobile service in your area, that is the perfect solution to a backup 4G connection. That was our original plan which went out the window. The reason is because Google Fi operates on T-Mobile and Sprint's network. If you already have service with them, you can request an additional free data only sim. The good thing is the sim will only get charged when it actually uses data at the same $10/Gig rate they always charge. The bad thing is the sim ONLY works on T-Mobile.

Sorry, for rambling on. I hope some of this helps.

Raffi

stephenw10

Yeah, there's no perfect solution here, at least not one I've found.

If you set this up pfSense will, by default, start pinging the gateway and using data. You probably don't want that. You definitely don't want it at the standard 2 pings a second rate where total data is not insignificant. I have it set to one ping every 10s here and it falls withing the 'included' data in the subscription I'm on. 200MB a month.
If I need to fail over to it I can add more data as needed.

Just as another data point I'm using a Sierra m.2 modem connecting using PPP. I usually see 20-30Mbps but have see over 40 at times. Signal strength is not an issue where I am in the UK.

Steve

tman222

Thanks @Raffi_ and @stephenw10 - I really appreciate the additional insight and helpful information.

I gave all this some more thought today and concluded that something like @akuma1x suggested here

https://www.amazon.com/GL-iNet-GL-AR750-300Mbps-pre-Installed-Included/dp/B07712LKJM

might actually be the most simple and cost-effective backup option given that my fiber connection is very reliable (I don't believe it has ever gone down in the last number of years I've had fiber based internet access). If does go down, I can always hook up this small device to pfSense and tether easily off my cell phone, thereby leveraging an existing data plan.

Thanks again for all your help.

Raffi_

That sounds like a great option. Interested to know how it works out. That's a pretty flexible little box. Not bad for the price.