Backup ISP via Cellular

[jtara92101]

I like Merlin FW on ASUS. You still get the stock feel with advanced settings. I just didn't feel like it handled the VPN encryption well due to the lower processor/memory on the consumer side.

 

Recent models have greatly improved CPU speed.

 

Here are some sample results I found in a thread elsewhere. These results exceed the capability of my cable connection, because I only have 20mbit/sec outbound, which is BETTER than typical for cable connections.

 

https://www.snbforums.com/threads/asus-rt-ac88u-asuswrt-merlin-380-64-vpn-connection-slow.36552/

 

AC3100 (same as AC88U minus 4 ethernet ports)

CTF enabled

DL: 61 Mbps with core 1 at 25%, core 2 at 75%

UL: 84 Mbps with core 1 at 35%, core 2 at 100%

 

AC68U

CTF + FA enabled

DL: 43 Mbps with core 1 at 25%, core 2 at 80%

UL: 60 Mbps with core 1 at 35%, core 2 at 100%

 

AC68U

CTF enabled

DL: 44 Mbps with core 1 at 30%, core 2 at 80%

UL: 58 Mbps with core 1 at 40%, core 2 at 100%

[paulbates]

I like Merlin FW on ASUS. You still get the stock feel with advanced settings. I just didn't feel like it handled the VPN encryption well due to the lower processor/memory on the consumer side.

 

 

 

Recent models have greatly improved CPU speed.

 

Here are some sample results I found in a thread elsewhere. These results exceed the capability of my cable connection, because I only have 20mbit/sec outbound, which is BETTER than typical for cable connections.

 

https://www.snbforums.com/threads/asus-rt-ac88u-asuswrt-merlin-380-64-vpn-connection-slow.36552/

 

AC3100 (same as AC88U minus 4 ethernet ports)

CTF enabled

DL: 61 Mbps with core 1 at 25%, core 2 at 75%

UL: 84 Mbps with core 1 at 35%, core 2 at 100%

 

AC68U

CTF + FA enabled

DL: 43 Mbps with core 1 at 25%, core 2 at 80%

UL: 60 Mbps with core 1 at 35%, core 2 at 100%

 

AC68U

CTF enabled

DL: 44 Mbps with core 1 at 30%, core 2 at 80%

UL: 58 Mbps with core 1 at 40%, core 2 at 100%

 

 

I don't know by core, but I get 90mbs down and 12mbs up on the RT-AC88, and that is a limitation of the cable service. The processors don't work that hard, and I also use it also as my NAS. I replaced a RTAC68 with it and had the same upload/download performance.

 

Merlin and Asus can support a second internet service connected to one of the LAN ports, but I imagine individual firewall rules would be needed to limit what devices can use it. 

 

Paul

 

[MWareman]

To configure outbound redundancy for selective hosts you need to create a gateway group - containing both gateway interfaces, but with your failover set to a lower priority.

 

In your firewall rules, look at the rule for your LAN interface (it probably allows any). Set the gateway on that rule to use the primary gateway. This will prevent traffic from failing over by default.

 

Then create a rule at the top matching traffic from the host you want to have redundancy, and set the gateway on the rule to your redundant group.

 

Done.

 

Michael.

[elvisimprsntr]

BACKGROUND

 

After reading thru the Linksys LRT224 manual and some help from @chadster766 on the Linksys forum, I was able to figure out how to limit which LAN IP/services have access to the WAN2 LTE failover interface. Actually, it was quite easy once I knew how. I tested the firewall rules applied to my WAN1 interface to confirm it all works before applying it to just the WAN2 interface.

 

SUMMARY

 

So now my Elk, ISY, ZoneMinder NVR Server, and other security related devices will be the only devices with access to the WAN2 LTE failover interface. I am now 100% satisfied with my solution for 24/7 LTE failover.

 

FIREWALL ACCESS RULES EXAMPLE

 

 

 

[MWareman]

The device I referenced above, running pfSense on Comcast (with 125Mbps service) achieves a speed test natively of 125Mbps down and 24.27Mbps up.

 

http://www.speedtest.net/my-result/6083914596

 

Setting up an OpenVPN connection to www.privateinternetaccess.com (their Chicago server - closest to me) - I got 82Mbps down and 21.97Mbps up.

 

http://www.speedtest.net/my-result/6083927496

 

Considering the packet size increase for performing this over VPN - it's clear that the little 10W box is capable of some serious (encrypted) performance for it's cost.

 

Thanks to @Scottmichaelj for spurring me on....  I now have OpenVPN going in client mode (to provide targeted traffic anonymization) as well as server mode (to allow mobile clients to connect).... all leaving my failover WAN solution working with my LTE device providing failover with a FreedomPOP SIM (so - if I can keep this to under 200MB/month it will be free... so it's use is limited to my Elk and ISY)

[elvisimprsntr]

BACKGROUND

 

After reading thru the Linksys LRT224 manual and some help from @chadster766 on the Linksys forum, I was able to figure out how to limit which LAN IP/services have access to the WAN2 LTE failover interface. Actually, it was quite easy once I knew how. I tested the firewall rules applied to my WAN1 interface to confirm it all works before applying it to just the WAN2 interface.

 

SUMMARY

 

So now my Elk, ISY, ZoneMinder NVR Server, and other security related devices will be the only devices with access to the WAN2 LTE failover interface. I am now 100% satisfied with my solution for 24/7 LTE failover.

 

FIREWALL ACCESS RULES EXAMPLE

 

 

 

lrt224_firewall_rules.jpg

Well it seems as if the LRT224 can't properly apply custom firewall rules. I've tried various versions of firewall rules on the LTE backup WAN2 interface, even reversing WAN1/2 connections/rules, and get the same results. While everything seems to work initially, I keep loosing my primary WAN connection. I have to either disable the rules or reset rules to defaults. @chadster766 on Linksys forum was also stumped. At this point I have two options. Live with it or buy a Cisco RV042G

[apostolakisl]

Well it seems as if the LRT224 can't properly apply custom firewall rules. I've tried various versions of firewall rules on the LTE backup WAN2 interface, even reversing WAN1/2 connections/rules, and get the same results. While everything seems to work initially, I keep loosing my primary WAN connection. I have to either disable the rules or reset rules to defaults. @chadster766 on Linksys forum was also stumped. At this point I have two options. Live with it or buy a Cisco RV042G

That's too bad.  It sounds like bad firmware.  Based on the settings page options, it appears that it should work.

[Scottmichaelj]

At this point I have two options. Live with it or buy a Cisco RV042G

Why not get the box MWareman suggested with pfsense and use the Linksys as an AP?

[Scottmichaelj]

The device I referenced above, running pfSense on Comcast (with 125Mbps service) achieves a speed test natively of 125Mbps down and 24.27Mbps up.

 

http://www.speedtest.net/my-result/6083914596

 

Setting up an OpenVPN connection to www.privateinternetaccess.com (their Chicago server - closest to me) - I got 82Mbps down and 21.97Mbps up.

 

http://www.speedtest.net/my-result/6083927496

 

Considering the packet size increase for performing this over VPN - it's clear that the little 10W box is capable of some serious (encrypted) performance for it's cost.

 

Thanks to @Scottmichaelj for spurring me on....  I now have OpenVPN going in client mode (to provide targeted traffic anonymization) as well as server mode (to allow mobile clients to connect).... all leaving my failover WAN solution working with my LTE device providing failover with a FreedomPOP SIM (so - if I can keep this to under 200MB/month it will be free... so it's use is limited to my Elk and ISY)

 

Below are Speedtests using pfsense with my ISP subscription being 250D/25U on my Intel Dual Core PC box.

 

Speedtest ISP via pfsense - 292D/30U - http://beta.speedtest.net/result/6086063012.png

   

Speedtest on VPN (Seattle Server) via pfsense - 265D/27U - http://beta.speedtest.net/result/6086059646.png

 

As you can see VPN encryption is not affected using Intel CPU.

 

pfsesne via Protectli Firewall Box:

 

Speedtest ISP via pfsense - 294D/30U (Identical to PC) - http://beta.speedtest.net/result/6088687379.png

 

Speedtest on VPN (Seattle Server) via pfsense - http://beta.speedtest.net/result/6097374862.png

 

Speed via VPN is effected on the Protectli.

 

My thoughts using pfsense on a PC vs the firewall appliance:

 

So it does appear there is a difference in speed hit when using a VPN on the Protectli box. My goal is to run my VPN 24/7 to protect all devices behind the firewall so due to the amount of devices I have and the speed loss when using the Protectli I will be returning it and for now going back to the dedicated PC. The downfall of a dedicated PC is the energy consumption of 50W avg vs 10W. However anyone who wants to run a VPN and get "close" to their ISP speeds you will need something very strong. I am not an expert in VPN or encryption but I am going to start reading more up on it.

 

Overall the Protectli is a nice box however I can't justify the price vs performance for my own use. If you don't require over 100MB of internet bandwidth, want a low power box (10W) and better than consumer router (with failover), then using this as router pfsense is the way to go.

 

I have almost finished all the things I wanted to do with the new router setup. I don't think I will have any issues with the remaining tasks and overall I am very happy with the switch to pfsense, as it mixes a nice blend of consumer friendly controls but has enterprise level options. Granted it took me longer than the average bear to configure but it was nice having a huge amount of resources from the pfsense wiki and forums, plus all the youtube videos.

[elvisimprsntr]

Why not get the box MWareman suggested with pfsense and use the Linksys as an AP?

 

 

 

I called Linksys customer service to open a ticket to hopefully get some resolution.  I had them review my Linksys forum thread, who confirmed my FW access rules should work and not affect WAN1.   Unfortunately, they will not elevate this as a firmware issue until they swap out my currently unit.  They are sending me an advance RMA replacement unit.   Once I swap out the unit and confirm the issue, hopefully it will get elevated to the firmware group.  

 

Linksys official info and how to create FW access rules:  http://www.linksys.com/us/support-article?articleNum=164489

[Scottmichaelj]

Updated post #59 - Soon I will post back about running pfsense as a Virtual Machine using VirtualBox on my Windows 7 64B server. It has a AMD FX-8350 8-Core running at 4.1MHz with 16GB of RAM. I also want to see if I see any changes using different cores and ram, which I should be able to change on the fly. I will post back for anyone curious.

 

EDIT: Anyone who wants to do a little "light reading" about crypto encryption cards/accelerators" using pfsense.

 

https://forum.pfsense.org/index.php?topic=107329.0

[elvisimprsntr]

BACKGROUND

 

Good news, bad news...

 

Good news is I received my advance RMA replacement LRT224.

 

Bad news is I was able to duplicate the problem on the replacement LRT224 hardware.   

 

CISCO RV042G

 

For the fun of it I ordered a Cisco RV042G, which is basically the same hardware (lights, ports, features, wall transformer, packaging, and bet money it is the exact same circuit board), except it has slightly different firmware.     I suspect this is a carry over from when Cisco owned Linksys before selling to Belkin.   I was able to successfully get everything to work, including firewall rules.  There were a few quirks with the RV042G in order to get local DNS and DNSMasq (DNS Proxy) working together.  A problem that apparently has plaged the RV042(G) models for some time, which no one seemed to have dicovered a solution.  You have to add the local DNS IP address to the list of WAN facing DNS servers.  Also, the IPSec server is not a full implementation, thus one cannot connect using iOS/macOS (others?) devices.  Sadly, the RV042 also does not support no-ip.com DyDNS.  Consequently, I returned the RV042G for a full refund from Amazon.  

 

LINKSYS LRT224

 

There are basically two scenerios under which the LRT224 will drop the primay WAN connection and/or DNS servers.  

 

1. If I enable DyDNS on the failover WAN2 (using a completely different hostname), the LRT224 will not resolve DNS requests over the WAN1 connection.  Or,

2. I confiure custom firewall access rules (see previous posts) applied ONLY to WAN2.   

 

In either of these situations, WAN DNS requests will sometimes not work initially, or not at all, or work for a short period of time before it stops working.   

 

CONCLUSION

 

It appears there is a fundimental problem with the firmware with the LRT224.   Hopefully, I can now get Linksys to recognise there is a problem and fix it.  

[elvisimprsntr]

BACKGROUND

 

Not sure if anyone is still interested in my endeavors with the Linksys LRT224, but I spoke to Linksys Level 2 support several times last week to replicate, discuss symptoms and possible causes.   I received a call back late last week.

 

SUMMARY OF ISSUES

 

Linksys admitted there is a problem with when and how the firewall rules are applied.  Rules do not automatically get applied when saved and/or incorrectly get applied to the current WAN connection.  A reboot of the router is required to get rules to function.  Also, when one forces to the failover WAN interface, the firewall rules stop getting enforced.  Linksys replicated this issue in their lab and is working to fix this issue with a firmware update.  

 

The other issues are when I enable DyDNS for the failover WAN. 

 

One problem occurs when DyDNS is enabled on the failover WAN, the LRT224 will periodically attempt to update the IP address even when failover is not being used.  When it does, the LRT224 stops forwarding DNS requests over the primary WAN connection, and occasionally will not recover.  I have not convinced Linksys 100% this is their problem.    

 

The other problem has to do with my ATT service (IoT), which only assigns a private IP address, thus the LB1120 will not provide a public IP address to the LRT224, even when the LB1120 is in bridge mode.  From my novice understanding, this is a function of how the LTE connection on mobile networks works.  The private IP address does not change so long as the LTE connection is not interrupted.  The public IP address will routinely change, even when in a static location and obviously when switching between towers.  If I want a public static or a public pseudo-static (DyDNS) IP address from ATT, I would have to pay a one time fee of $500 and get a business rate plan likely costing $100's per month.   Not what I was looking for.    So the conclusion is that with the ATT IoT SIM data plan, I will not be able to use the LRT224 DyDNS on the failover LTE WAN to allow me to remotely access my home network using a hostname.   I have read there might be a couple of options to solve this issue (private VPN or DyDNS client running behind my firewall.) In my use case, all I really need is for my security related devices to still be able to send me notifications when my primary WAN goes down, which doesn't require a public IP address.  

 

FOLLOW UP

 

Linksys firmware engineering is supposed to call me back this next week to discuss the issues.  I offered my services to test any firmware which incorporate changes to address these issues.  

[MustangChris04]

Linksys and Cisco small business equipment is garbage. I got rid all their buggy equipment in my offices. If you want a bulletproof, easy to use, bug-free multi-wan router get a Peplink. I've never seen something so easy to use and reliable.

 

If you want more than just a router get pfsense on a VM or buy a basic computer as others mentioned. You're wasting your time with linksys. I've been down that never ending road with their support and its frustratung. I prefer Sophos XG over pfsense and it is free for home use. I have symmetrical gigabit internet and I get full throughput on Sophos XG with a basic Dell R220 server, but the more firewall rules, IPS, A/V Scanning services you run, the less throughput you'll get.

 

I also use a Ubiquiti USG-PRO-4 which is multi-wan, supports failover but not good for load balancing and the configuration is not as flexible as other Enterprise equipment. I get full 1g up and down throughput on this but it's just a basic firewall with no IPS.

 

Also, you could easily use A DDNS service with a cellular connection, just use a Raspberry Pi to report to your DDNS service and configure it to always use the second WAN connection.

 

I actually found this post when searching Google and I'm curious to find out how MWareman is using FreedomPop with the Huawei WiFi hotspot. Did you create a WiFi to Ethernet bridge and connect that bridge to your second WAN? FreedomPop wouldn't send me their burst hub or Netgear 6100D and those were their only cellular hubs that had an Ethernet connection.

[elvisimprsntr]

I'll likely switch to pfSense on SFF computer. Linksys is supposed to call me by Friday and indicated if any firmware fixes are months away, they will refund my money.

[elvisimprsntr]

UPDATE

 

Dropped some coin on the www.protectli.com Essential SSF router @MWareman suggested. pfSense comes pre-installed which eliminates the first time installation from a flash drive. I stayed away from the Netgate devices for two reasons. Price and the Atom processor which are prone to fail after 18 months in service in some network products.

 

Transferred all my settings from the crappy Linksys LRT224 after learning the differences in how to configure everything. Just have to apply the FW rules @MWareman suggested to limit which devices can use the LTE failover connection. Otherwise, it works like a champ.

 

No response from Linksys on possible firmware fixes for the LRT224. Submitted a request for a manufacturers full refund. If Linksys balks, I'll put it up on eBay to recoup at least some coin. I'll likely never buy a Linksys or Cisco product ever again. Sad really, given I went to high school with the Sr. Director Software Operations at Cisco.

 

Thanks to everyone in this thread for their suggestions. It's been quite a learning experience for me.

 

SIDE NOTES

 

I see the Netgear LB2120 LTE modem with built-in failover release date has slipped from March 20 to May 15. Likely an indication of problems, especially given the EU equivalent (LB2110) was never introduced. Glad I decided to get the LB1120 w/o the built-in failover.

 

ATT is considering static IP addresses for their IoT data plans. It will not be available until at least September. The current static IP business plans are extremely cost prohibitive.

[Scottmichaelj]

UPDATE

 

Dropped some coin on the www.protectli.com Essential SSF router @MWareman suggested. pfSense comes pre-installed which eliminates the first time installation from a flash drive. I stayed away from the Netgate devices for two reasons. Price and the Atom processor which are prone to fail after 18 months in service in some network products.

 

Transferred all my settings from the crappy Linksys LRT224 after learning the differences in how to configure everything. Just have to apply the FW rules @MWareman suggested to limit which devices can use the LTE failover connection. Otherwise, it works like a champ.

 

No response from Linksys on possible firmware fixes for the LRT224. Submitted a request for a manufacturers full refund. If Linksys balks, I'll put it up on eBay to recoup at least some coin. I'll likely never buy a Linksys or Cisco product ever again. Sad really, given I went to high school with the Sr. Director Software Operations at Cisco.

 

Thanks to everyone in this thread for their suggestions. It's been quite a learning experience for me.

 

SIDE NOTES

 

I see the Netgear LB2120 LTE modem with built-in failover release date has slipped from March 20 to May 15. Likely an indication of problems, especially given the EU equivalent (LB2110) was never introduced. Glad I decided to get the LB1120 w/o the built-in failover.

 

ATT is considering static IP addresses for their IoT data plans. It will not be available until at least September. The current static IP business plans are extremely cost prohibitive.

Glad you switched over and have had success. Yes the Netgear shipping time slipped so I bought the NETGEAR 4G LTE Modem - AT&T Network-Ready device (LB1120-100NAS) with "WAN" only. I was able to activate it and get a good signal from AT&T. I changed my plan to the unlimited plus so it only ended up costing me $20 more a month which I feel like is a good deal to not only backup my alarm via cellular but also have backup internet for the whole house.

 

The speeds are good and I am getting LTE 30d/15u. I got every working as its own device. However still trying to figure out how to get it working with the pfsense.

 

The WAN only should work with pfsense. I believe it needs to be put in "bridge" mode. I added an interface called LTE as DHCP, which could be wrong, but I was able to get an IP, just not able to connect to the internet.

[elvisimprsntr]

The WAN only should work with pfsense. I believe it needs to be put in "bridge" mode. I added an interface called LTE as DHCP, which could be wrong, but I was able to get an IP, just not able to connect to the internet.

Yes, put the LB1120 in bridge mode. No internet also might be a function of the APN you are using vs the plan you are paying for. I observed something similar when trying to use some of the other ATT APNs.

[Scottmichaelj]

Yes, put the LB1120 in bridge mode. No internet also might be a function of the APN you are using vs the plan you are paying for. I observed something similar when trying to use some of the other ATT APNs.

There is a APN profile already on the Netgear and direct connection from the device to PC in router mode does allow internet. So I assume its just something I am not doing correctly in the pfsense. Granted the device came late afternoon and by the time I activated it etc I ran out of more time to test.Had to leave to have dinner with friends and by the time I got home I didn't go back to it.

[larryllix]

Very strange.

 

I find my ISP connections and service much more reliable than LAN equipment. If I had a router failure (a much more complex piece of equipment with a shorter MTBF) no amount of alternate access could help in that situation.

 

Keeping my HA going is much more important than keeping remote access, in most aspects.

 

Backing up a router would be a much harder project.

 

 

Just make the bad man stop...!

[Scottmichaelj]

Very strange.

 

I find my ISP connections and service much more reliable than LAN equipment. If I had a router failure (a much more complex piece of equipment with a shorter MTBF) no amount of alternate access could help in that situation.

 

Keeping my HA going is much more important than keeping remote access, in most aspects.

 

Backing up a router would be a much harder project.

 

 

Just make the bad man stop...!

 

 

Larry-

 

There are multiple reasons some of us want to have backup internet.

 

For one, I work from home a majority of the time, so if my ISP is down I can't work. So then I would have to get dressed, get into the car, and drive 30 mins to my office. Thats asinine! Who wants that? Second, some of us want backup for our home alarm systems for the safety of our families. With backup cellular data we still have internet access to other devices like home automation controllers, MyQ garage door opener, alarm system, etc. In the past I paid $10 a month as an extra line just to have cellular phone backup on my alarm on my HAI C3 communicator. Now with pfsense router I can pay $20 and have data now for the whole home as backup. This goes back to the same old point, if you feel your ISP is sufficient and never down, and willing to take a change that its down in an emergency, possibly risking you and your families life thats your decision. I know for me, having a backup system in place for internet is just as important as a generator on my home. I haven't used it in a year but when we lost power for 2 days I sure was glad to have it. For me it boils down to cheap insurance.

 

You do bring up a good point however about backup router equipment, which I am also looking into doing. Once I get this done I will be looking at adding a second ISP modem, and second router for failover. If for any reason there is no connection then automatically turn on the second devices and turning off the first ones. The cost for hardware is very cheap now to run a router. If anyone haves good ideas for failover for equipment I would love to get some pointers. The great thing about pfsense is I can copy the config, load it to the second device and be done.

 

One of the other reasons I went to pfsense was to also gain privacy while online. I now am running SquidGuard, a VPN full time for all devices behind my switch, and anonymous DNS service. I am taking my online privacy very serious now with all of the breaches of data on services. I am also moving all my passwords to a password manager with "strong" passwords.

[elvisimprsntr]

I use the Personal (with free account) OpenDNS DNS servers to filter malware and content. Prior to pfSense I had to have a client running on my Linux server to update the WAN IP address. pfSense supports OpenDNS directly via DDNS. I then run Adblock Plus and ClamAV on clients.

 

I think I read you can run both an ad blocker and virus scanning on pfSense, but that might require faster hardware than from protectli.com

[MWareman]

So, I got myself a LB1120-100NAS as well - and just got it going with my FreedomPOP SIM. Works well.

 

The basics:

 

The LB1120-100NAS is in router mode. I have mine at the default IP (192.168.5.1).

The pfSense interface (I called mine WAN_FAIL) has a static IP (I set 192.168.5.2).

On pfSense, configure an 'outbound' NAT rule applied to the WAN_FAIL interface to NAT outbound traffic to the WAN_FAIL address.

   (Yes, this results in double-NAT - this appears necessary because you cannot add static routes to the LB1120-100NAS)

Add a firewall rule to allow traffic from 'LAN Net' to 'WAN_FAIL Net'

 

Then you need to create a gateway group (to setup your failover policy) and then create outbound firewall rules to assign traffic from designated hosts tot he failover gateway group.

 

Michael.

[elvisimprsntr]

So, I got myself a LB1120-100NAS as well - and just got it going with my FreedomPOP SIM. Works well.

 

The basics:

 

The LB1120-100NAS is in router mode. I have mine at the default IP (192.168.5.1).

The pfSense interface (I called mine WAN_FAIL) has a static IP (I set 192.168.5.2).

On pfSense, configure an 'outbound' NAT rule applied to the WAN_FAIL interface to NAT outbound traffic to the WAN_FAIL address.

   (Yes, this results in double-NAT - this appears necessary because you cannot add static routes to the LB1120-100NAS)

Add a firewall rule to allow traffic from 'LAN Net' to 'WAN_FAIL Net'

 

Then you need to create a gateway group (to setup your failover policy) and then create outbound firewall rules to assign traffic from designated hosts tot he failover gateway group.

 

Michael.

 

 

I think this is what I did to get dual WAN failover to work.  

 

LB1120:

• Put in bridge mode with default IP 192.168.5.1

pfSense:

• Interfaces -> OPT1 -> Enable
• System -> Routing -> GW Groups -> Add -> WAN1 -> Tier1 -> OPT1 -> Tier2
• System -> General -> Added 2 DNS servers each for WAN1 and OPT1 (also use DNS forwarder w/host overrides, DHCP static leases.)  
• FW -> Rules -> LAN -> Changed IPv4 rule to use GW Group created above (allows all LAN traffic, need to tweak to limit IPs over OPT1.)

Power cycle:

• Similar to a cable modem, I think you have to power cycle the LTE modem and router together.
• I have seen the LTE modem GW offline, but if I temporarily check System -> General -> DNS override and Disable DNS forwarder, I can force the LTE GW back online.  

Testing from couch:

• System -> Routing -> Gateways -> WAN -> Force State -> Mark GW as Down

Reference: 

• https://doc.pfsense.org/index.php/Multi-WAN#Interfaces

[MustangChris04]

MWareman, how did you purchase a freedompop SIM? Did you just get the SIM or did you purchase their service with a phone or cellular hotspot and then just take that sim and put it into the netgear gateway?