This is something I never thought I’d actually need until the other weekend I went out of town for a wedding. Everything was going smoothly with my remote access until 7:41 AM on Saturday and suddenly I couldn’t reach anything. I try to pull up my doorbell camera – no connection. I try to reach my alarm system as it alerts if the power goes out or wifi drops but it wasn’t reporting any problems (which really concerned me since I didn’t have internet, my ISP reported no issues, power company reported no issues). I started to freak out. My wife reminded me that we’d be home the next day. So I adjusted my WireGuard settings and went without protection. When I got home, I noticed for some reason the WAN port on my pfSense firewall lost it’s IP. It was reporting 0.0.0.0. After power cycling everything, I finally got a public IP (which had of course changed so I had to reset all my VPN tunnels). All of this could have been avoided if I had a back door into my network. Likewise, my ISP occasionally has issues. Having a backup connection to the Internet in those situations would also be nice. So why LTE and not DSL? I live in the boonies and there are no landlines going down my road (it’s weird since we do have cable service).
Selecting a LTE Modem
I did a bit of research on trying to find a good LTE modem. However, the one that I settled on is the Netgear LM1200. I selected this one for a few reasons.
The first of which is that it’s not a traditional hotspot – it’s more of an LTE modem. This bad boy also features two 1 gigabit Ethernet ports (the WAN port is disabled by the firmware and Netgear says it will be enabled in a future firmware update), external antenna hookups if you have shoddy signal, and that’s about it spec wise. This model does not contain a battery, but it can be powered via USB. So this also means it’s a great portable system. But keep in mind, if you do take this on the road, only one system can connect – but you can “share” the connection (at least on Windows).
Another reason why I love this device is that the software will let you put this modem into bridge mode. If you’re not familiar, bridge mode means the WAN network is transparent to the modem and you’ll need a device capable of routing. Since this is going to be a backup connection for our home network and we already have a router, check.
Selecting LTE Service
The Netgear LM1200 works with the three major carriers, and it should also work with any MVNOs that ride on top of those networks. For example, I purchased a SIM card from Ting because Verizon wouldn’t even give me an idea what a hotspot plan would be unless I gave them an IEMI number which I didn’t have because my device was being shipped. Ting is a MVNO that rides on top of the T-Mobile network.
This device does work great with Ting out of the box, no configuration. I simply activated the SIM, I picked the 5 GB data plan (really it’s a phone plan with unlimited talk/text and 5 GB of hotspot data) for $25/month.
When my Netgear LM1200 did arrive, I popped the IEMI into Verizon and after going through everything, I was able to get a 15 GB hotspot plan for $17/month. Cheaper and more data? Yes please. So I’ll be swapping the Ting SIM for the Verizon SIM as soon as that arrives.
If your carrier does supply a hotspot or data plan, you want that. They’re a little cheaper than a normal line.
Setting up pfSense to failover
pfSense is actually not to difficult and is actually flexible based on your needs. For example, my main cable connection has issues in the spring time where the equipment heaters inject noise on the line and cause 15%+ packet loss. In these instances, I want my connection to failover. My main internet is still up, but it’s unusable.
To do this, you do need an available physical port to plug the LTE modem into. If your pfSense device only has two ports, you’re going to need to upgrade to a new device.
Once the modem is hooked up and plugged in, enable the interface and configure it appropriately. Unless your carrier has actually assigned you a static IP, set it as DHCP.
Also block private IPs and bogon networks.
Keep in mind that if you do not bridge your LTE modem (or can’t for whatever reason), you will be given a private IP on your second WAN port. To make this work, you need to uncheck the box to block private networks! If you don’t, the traffic will be blocked!
Go to System > Routing > Gateway Groups and create a new group.
Give it a name and then set your gateway priorities. A smaller tier is given priority. Finally, set your trigger level. I chose packet loss or high latency because my main connection will remain online, but unusable and I want to failover. The default option is member down which means the interface needs to be down. 100% packet loss is also down so this method will failover.
Adjust your firewall rules
This part is optional but up to you. Go to your firewall rules for your LTE interface. I’d suggest adding rules to block access to streaming services if you have limited data. Devices connected to your network don’t know they’re on a mobile data plan. Going back to the Netgear LM1200, it actually has a way to limit your data (and tracks your billing date so it knows when to reset).
Things to keep in mind
There are a few things to remember about mobile backup internet. First, it is usually double NATted. You might have a public IP showing in pfSense, but if you go to ipchicken.com, you’ll see a different IP. This is carrier grade NAT or CGNAT. With CGNAT you cannot port forward. So if you open port 443, you won’t be able to reach it. If you need remote access, you need a utility that can blast through firewalls like AnyDesk or RustDesk or setup an external WireGuard server that your firewall can connect to. You would then connect to your external WireGuard server which could get you access to your network over the mobile connection.
Hope this helps!