Failover with LTE as backup

tac12

I’m in the process of adding to my setup a Netgear LM1200 cellular internet “modem”. I’ve found recipes on using gateway groups etc, I haven’t gotten that far yet. I’ve stumbled at the first step. My Pfsense box has 4 Ethernet ports and my second uses eth1 for my adsl modem, eth2 for my LAN and I plugged the LM1200 into eth3 (LTE). The LM1200 is in bridge mode, eth3 set to dhcp, and gets an IP of 10.83.x.x from the Netgear/3. I’m using 3 sim with tethering, and all of that works when plugged into a laptop. My issue is how to access the management interface on 192.168.5.1. I can ping it from the Pfsense box but not from lan.

Any suggestions would be appreciated! I’ve added a rule to allow traffic to 192.168.5.1 from LAN to LTE.

VincentEmmanuel

Your netgear on eth3 should be a WAN and not a LAN. So after switching eth3 to WAN you should be able to see a IP address of that in the pfsense main page. Use that IP to access the management interface.

dem

I use an LM1200 as a backup and didn't have to do anything special to be able to access the management address. The device set up the route on its own and no extra rules were needed.

I'm not sure if it matters, but try disabling "Block private networks and loopback addresses" on the LTE interface.

tac12

@VincentEmmanuel WAN or LAN surely that's just a label?

tac12

@dem Yes I have unchecked those. I can ping ok from the pfsense box, but not from my computer which is on my LAN

dem

Is your computer perhaps on a VPN that might be preventing traffic to the management address from getting to pfSense?

My computers are normally on a VPN and I have to explicitly advertise the routes to management addresses.

tac12

@dem I have a site to site VPN using IPSEC that's all.

VincentEmmanuel

@tac12 LAN and WAN is not just a label. WAN is a gateway for traffic to go out while LAN is just an internal network.

The modem should have a public IP issued by the ISP when its connected and when setup as a WAN it should be visible in pfsense as one of its WAN gateways. Then you can create a gateway group and use it as a failover WAN.

That is what you are trying to achieve right?

stephenw10

pfSense needs to know to route traffic that IP via the LAN3 interface. So one way to do that is to add an IP alias on LAN3 of, for example, 192.168.5.254/24.

You may need to also add an outbound NAT rule so that the modem sees all traffic as coming from 192.168.5.254 and has a route to reply.

Steve

dem

@stephenw10 The LM1200 DHCP server sends "Static-Route Option 33" with the management address so my pfSense sets up the route on its own, no VIP needed. The fact that @tac12 can ping the management address from pfSense seems to indicate that the route is working.

But it seems like either clients are choosing a route other than pfSense for that address, or there's some rule on LAN matching before the default allow rule.

The first time I connected this modem and was able to access the management interface without any changes to pfSense I just about fell out of my chair. It just worked! But I don't know why it doesn't work for @tac12.

stephenw10

He might have a policy routing rule on LAN forcing that traffic via the other WAN. Traffic from pfSense itself doesn't hit that.

tac12

@stephenw10 actually I'm an idiot, and am embarrassed to admit that I had forgotten to turn Outbound nat back to automatic!

Im now going to finish by following https://joshspicer.com/lte-failover-pfsense

Apologies for wasting your time, and many thanks for your response