All HowTo's pfSense & Netgate

Netgate pfSense with 4G/5G Fail-over

This article discusses my recent experiences with 4G/5G fail-over for a small business running a Netgate 3100 pfSense firewall appliance. The model of the Netgate firewall appliance isn’t important. If you’re using a USB device for the 4G/5G, then it’s the pfSense drivers that matter.

The question is, which 4G/5G USB stick will work. I went to my local Optus store and purchased a Huawei E3372 LTE USB sitck and had no luck. That’s because the USB stick can come in two different “modes” determined by the firmware they’re running. The device I received was the E3372h model and that is the “wrong” mode model. There are ways to deal with this but it’s seriously far more hassle than it’s worth.

TIP: Netgate have a page listing “known to work” 4G devices. See here “”. However, the “E3372” model is on that list, but the “E3372h” is not. So the list is not perfect.

I ended up purchasing a “TP-LINK TL-MR6400 v5 4G/5G router”. See here “”. I inserted the Optus SIM into the TP-Link 4G/5G device, connected that device to the OPT1 interface on the Netgate 3100 using Ethernet, configured OPT1 on the Netgate for DHCP, and it worked – the OPT1 interface came up. No configuration change at all on the Netgate or the TP-LINK at all. However, there’s still work to be done to get the fail-over working. See below.

While I recommend enterprise grade equipment for fail-over gear, this test was purely to examine the difficulty of device configuration required to have the fail-over in place.

So I’ve concluded that the gamble and time to troubleshoot by trying a USB device is simply not worth it. Use a 4G/5G router that connects via Ethernet for a more reliable outcome.

The following describes the settings that I’ve used in this test. This is an explanation, not a walk-through. Compare your settings to mine.

This screenshot shows the Interface settings for the OPT1 (the interface connecting the TP-Link 4G/5G device to the Netgate). All settings below what can be seen in this screenshot are empty/unset.

Create a Gateway Group to allow for the fail-over capability.

The following shows the details/settings for the Gateway Group. Basically the primary service is the “tier 1” service (it will be the default). The 4G/5G service is set to “tier 2”. I’ve set it to fail-over in the event of packet loss.

Back at the routing configuration settings page, set the default gateway to the new fail-over gateway group.

Now if you go to the status page showing your gateway groups, you’ll see that your primary service (tier 1) is active (in use), and your secondary (tier 2) is ready to take over if there is package loss on the “tier 1” service.

That’s all you need to to to configure your the fail-over capability on the Netgate pfSense appliance.

Leave a Reply

Your email address will not be published. Required fields are marked *