My Links

  My YouTube Ch.
  My Odysee Ch.
  My Twitter Ch.
  My Github
  My EEVblog Profile

 

 



Details
Hits: 577

INTRO

WANmap

If you have internet access via DSL, fiber, or similar, and you're concerned about power outages disrupting service, a reliable backup solution can be set up using a 4G LTE router as a secondary WAN connection for pfSense.

If your main internet connection fails, pfSense will automatically switch to the 4G connection within seconds and restore the primary WAN once it's back online—all without user intervention.

This setup introduces no new or unusual security concerns. The 4G router simply sits in front of pfSense, just like your existing WAN, and all of pfSense's firewall and security features continue to apply exactly as before.

Here's a guide on how to add a 4G backup connection to pfSense. The goal: automatic failover when the main connection drops, and automatic recovery when it returns. It's not an exhaustive guide as it depends somewhat on your existing Pfsense configuration.

Notes: All IP addresses, WAN names, and other details shown in this article are fictional examples—no real internal or public IPs are included.

 

Hardware Overview

  • pfSense firewall (x86-64 or Netgate-ARM hardware)

  • Primary WAN internet connection, we'll call it WAN_MAIN.

  • Secondary WAN, the 4G LTE router, we'll call it WAN_4G.

  • Assume your existing Pfsense LAN subnet: 192.168.1.0/24

The 4G router will require a mobile/cell phone SIM card for mobile data and connects to pfSense via Ethernet.

 

Step 1 – Configure the 4G Router

  1. Insert a SIM card to the 4G router.

  2. Log into the 4G router by connecting directly to it via a Cat5 cable and visiting its default admin login page.

  3. Check the APN settings (usually detected automatically).

  4. Ensure the router has a static IP assigned, i.e. IP 192.168.10.1.

  5. Disable Wi-Fi as it isn’t required.

  6. Disable DHCP Server — pfSense will handle DHCP.

  7. Save and reboot the router.

After setup, connect the 4G router’s LAN port to one of pfSense's WAN ports. The 4G routers WAN port will not be used.

 

Step 2 – Add the 4G routers Interface in pfSense

  1. Log into Pfsense, go to Interfaces → Assignments.

  2. Add the new interface (e.g. igc3 depending on what port you have plugged the 4G router into) and name it WAN_4G.

  3. Enable it and set IPv4 Configuration Type to DHCP.

  4. Save and apply changes.

pfSense should obtain an IP (usually 192.168.10.100) and gateway (192.168.10.1), taken from your 4G routers static IP.

 

Step 3 – Configure Gateways

  1. Go to System → Routing → Gateways.

  2. You should see two gateways:

    • WAN_MAIN

    • WAN_4G

  3. Edit each gateway and set thresholds:

    • Latency thresholds: Low 250 ms / High 600 ms

    • Packet loss thresholds: Low 20% / High 50%

    • Monitor IP: 8.8.8.8 for WAN_MAIN and 8.8.4.4 for the WAN_4G

Save and apply changes.

 

Step 4 – Create a Gateway Group for Failover

  1. Go to System → Routing → Gateway Groups.

  2. Add a group named WAN_GROUP.

  3. Set:

    • WAN_MAIN → Tier 1

    • WAN_4G → Tier 2

    • Trigger Level: MemberDown or Packet Loss or High Latency, you may need to play with this setting.

    • Description: WAN Failover

  4. Save and apply.

Then go to System → Routing → Default Gateway and set:

  • Default Gateway IPv4: WAN_GROUP (WAN Failover)

pfSense will now automatically use the primary WAN_MAIN, and switch to WAN_4G if it fails.

 

Step 5 – Firewall Rules

Under Firewall → Rules, add:

Interface Action Source Destination Description
LAN Pass ***specify an IP address here*** any Allow access to 4G router management

This allows access to the 4G routers web interface from a single specific trusted device. You will need to add this if your 4G router is on a different subnet to your LAN.

 

Step 6 – Testing and Failover

  1. Disconnect the main WAN connection and open Status → Gateways.

  2. WAN_MAIN will show Offline, and WAN_4G becomes Active.

  3. pfSense automatically reroutes traffic via 4G.

  4. When WAN_MAIN comes back, it returns as the primary route.

  5. If you have added both the WAN_MAIN and WAN_4G Gateways to the Pfsense dashboard then you should see the status of both and which one is currently active by the globe symbol.

 

Step 7 – Email Notifications (Optional)

pfSense can send notifications when gateways change state.
Go to Status → System Logs → Settings → E-Mail, enter your SMTP details, and enable “Gateway monitoring events”.

 

Step 8 – Final Notes

  • Disable remote management on the 4G router.

  • Change the 4G router admin password.

  • On pfSense, the globe icon beside a gateway shows the currently active WAN.

  • Backup the new Pfsense and 4G router configuration.

  • If you use DDNS or external monitoring, remember that failover will temporarily change your public IP.

Results

  • Automatic 4G failover when the main connection drops.

  • Automatic recovery when it returns.

  • Seamless internet continuity during outages.

This configuration gives pfSense full dual-WAN redundancy with simple hardware and no additional software — a reliable, practical home or small-office backup solution. 

Extra

Screenshots of the notification emails received on a disconnect and subsequent reconnect.
This would have likely happened due to sub-optimal 4G antenna location giving a low signal quality/strength.
MR600 disconnect

MR600 connect