Hello,

I wish to create the optimal solution that automatically makes use of both of my Internet 'circuits'. I'm not asking how to implement the solution, at least not at this stage, as I plan to try with my moderate but improving MT networking experience.

My initial thoughts are:
1. Keep the 4G LTE LHG as my main circuit.

2. Use the Sky VDSL as a failover, making use of the Sky Router in DHCP mode - if possible / practical, avoiding double NAT if feasible.


Use Cases
- I use DuckDNS, considering ZeroTier, have HomeAssistant, have CCTV, need some remote printing from my office using a forwarded port but recognise this isn't secure and going forward security is of paramount importance to me, remote NAS access, Main, Guest & IoT WiFi.


Circuits
- Sky UK VDSL 16Dn / 1Up - Not tested yet but looks like bridge mode is now supported by the Sky SR203 Router. I am not fixated by running this circuit in Bridge Mode as I understand that this will prevent the Sky TR069 monitoring & control. We have Sky Q satellite TV with two boxes, main & mini. Sky Q works over the LTE, it doesn't have to operate over the Sky VDSL

- 3 UK LTE 4G 50Dn / 25Up LHG - to be run in Bridge / IP Passthrough mode. I do get dynamic Public IPV4 addresses. I currently use this but can (clunkily!) patch the network to the VDSL as a manual failover


MT Hardware
- RB4011 Router (non-WiFi version) with;
- several hAP ac for indoor WiFi in a largeish home with;
- 3x CRS112 PoE switches for all devices that can be wired and / or be powered via PoE;
- a couple of wAP or wAP ac to come for garden & front yard;
- and a mAP lite for some ESP32 IoT devices out of range of the main WiFi.

Does that all make sense?

I look forward to and welcome your advice and suggestions.

Thanks,
Steve

That's not a million miles from my setup. I use ..

• SXT-LTE as my primary Internet connection, with Three unlimited phone SIM

• RB4011 as central main router, almost all network devices to connect via Ethernet or wireless

• Zyxel ADSL router as backup Internet connection

I don't have the SXT passing through its address, instead there's a Layer 3 link between the SXT and RB4011, the SXT does NAT and firewall. Similarly the Zyxel does NAT and firewall for the ADSL connection. No NAT on the RB4011, it just does switching and routing.

On the RB4011 I have configured some traffic to use the ADSL as its first preference, that is easy if it can be distinguished by destination. Other classifications can done by using routing marks, but I have only played around with that and don't use it seriously.

Just recently I've added remote client VPN configured on the SXT, using L2TP and IPsec PSK. I configured DDNS so that I can connect using a static DNS name.

There isn't an easy way to avoid double-NAT if keeping the Sky router in router mode. You could possibly get around it using the same LAN IP range on the 4011 as the Sky router but with a differing gateway address, disabling the DHCP server on the Sky router and adding a static route on the 4011 for the backup link.

With either that, or a conventional second WAN setup on the 4011 the traffic would use the lesser gateway distance via LTE. As 3 appear to use a DHCP lease of 60 seconds failover would be a maximum of that without resorting to scripts.

There isn't an easy way to avoid double-NAT if keeping the Sky router in router mode. You could possibly get around it using the same LAN IP range on the 4011 as the Sky router but with a differing gateway address, disabling the DHCP server on the Sky router and adding a static route on the 4011 for the backup link.

That's exactly how I have my ADSL connected.
For failover I use recursive gateways configured on the RB4011, rather than scripts or relying on the Three connection losing its IP address.

I don't have double NAT on either connection, NAT is only carried out on the two Internet routers. However for many people it may not matter on the failover path if it made routing easier, and it would mean the failover router doesn't need routes to all internal subnets.

My specific reason for removing NAT from the RB4011 was the behaviour of my SIP connections. When the RB4011 was doing NAT, it would set up a connection and source NAT for the SIP phone over the main (LTE) Internet connection. That connection stays up all the time by design, to allow inbound SIP signalling. If the Internet fails over, the RB4011 would change the routing for that connection, now going to the backup router, but it does not change the NAT. So the SIP traffic was being sent out with a source address appropriate for the LTE connection, but incorrect for the failover path.

Yes, SIP and NAT-T IPsec can get stuck, it needs a script to purge UDP connection state when the primary gateway comes back.

If the 4011 were performing NAT for the LTE connection (with the SXT or LHG using passthrough) the masquerade rules may only be purged if the interface drops, not on the loss of address. A DHCP script to purge connections on loss of lease should be sufficient.

I had a bit of a fiddle with options but it was easier to let the SXT do the NAT. It's a fully featured router so its NAT and firewall capabilities are just as good. It also means it can be managed with a single connection without the need for VLANs or anything. I'm not clear what benefits people see from a pass-through configuration.

@aesmith, @tdw

Just a brief acknowledgement and many thanks for your responses so far, they're very much appreciated. I clearly have more learning ahead of me but an interesting challenge too!

Hopefully this thread will be useful to others like us with similar setups.

Rgds, Steve