Using the 4GEE Home Router as a secondary WAN for failover with OpenWrt and mwan3

Image for post
Image for post
Press shot of 4GEE home router

Here’s how I setup a secondary WAN for failover using the 4GEE Home Router as another WAN connection.

Just prefacing this with a small disclaimer, I don’t necessarily endorse doing this specific setup, I chose using EE 4G broadband because I’m already an EE customer and it was the most accessible way for me to obtain another broadband line easily at a reasonable cost.

I’m running OpenWrt on my Linksys WRT3200ACM, it’s single WAN port is being used by my fibre connection from the Virgin Media Super Hub 3 router/modem (running in modem only mode). In order for to bring EE 4G into the mix I need to have another WAN interface configured, most routers will only have one designated WAN port as is the case with mine, but that doesn’t mean you can’t create another!

In order to create another WAN port, I will be sacrificing one of the built in LAN ports to the network gods. This isn’t too much of an issue for me as I already have several gigabit switches running off other LAN ports.

Configuring the VLAN

The easiest way to configure a VLAN is through LuCI, but you can also manually set the switch config in /etc/config/network, but I’ll admit, I’m not an expert on VLANs, so I’m using LuCI.

From LuCI go to Network > Switch

  • Remove a single physical LAN port from the default VLAN 1; this port will become the new physical second WAN port. I chose LAN1, but it doesn’t matter which LAN port you use really, it just needs to be moved to it’s own VLAN.
  • Assign the LAN port to a new VLAN number such as 3 and set the port to be untagged in this single new VLAN and off in all other VLANs. This VLAN, as with all VLANs, should also include the built-in CPU port as a tagged member, so there are a total of two ports in the new VLAN. In the case of dual core CPU routers, make sure to tag CPU0 (eth0).

The switch config, should look something like this:

Image for post
Image for post
OpenWrt LuCI VLAN config for creating a second WAN using one of the LAN ports

Reboot the router for the new VLAN interface to become active (e.g. eth0.x for what will be the new WAN interface).

From LuCI go to Network > Interfaces

  • Add a new interface name for the new eth0.x adapter, name the new VLAN physical interface “wanb”.
  • Configure the new WANB interface IP details accordingly. For the 4GEE home router, static address is going to be the best option, which I’ll cover in more detail below. For now though, you can set it to DHCP client, just for the initial stage.
  • Assign the new WANB interface to the existing wan firewall zone.
  • Under Advanced Settings, set a metric value of 20, as this WAN connection should be secondary and not used by default.

The 4G EE router

The 4GEE home router itself is your basic ISP provided bit of hardware, it has more features in the firmware than I expected but realistically, I’m not really interested in them, I only really want it’s WAN connection. This is provided by an EE 4G SIM, inserted into the device which connects to the EE’s 4G network.

The first thing I needed to do is connect through WiFi to get to the settings page. You’ll need to change the admin interface password from ‘admin’ to something not ‘admin’. Fortunately whoever develops the firmware did force a decent complexity rule on this, so no ‘admin1’ or ‘password’ entries please! Fun fact, under the hood, the 4GEE home router is also running a variant of OpenWrt.

The default LAN IPv4 is 192.168.1.1. I needed to change the default LAN range from 192.168.1.0/24 to 192.168.2.0/24 because my main router is using 192.168.1.0/24, so this would cause a conflict once the 4GEE router would be connected to my new VLAN port.

An important note, the 4GEE router doesn’t support any form of bridge/modem mode.

Image for post
Image for post
LAN settings on the 4GEE home router

After changing the LAN range, I then connected an ethernet cable from the LAN1/WAN port on the 4GEE home router to the VLAN port on my main router. I don’t think it really matters which of the two ports you use on the 4GEE home router. They are both being used as LAN ports in this scenario.

After doing this I then confirmed that the wired link between the 4GEE home router and my main router was established, in LuCI I went to Network > Interfaces and observed that the WANB interface had a local IPv4 of 192.168.2.xxx. As this had been assigned by the DHCP server running on the 4GEE router.

Confirming the EE 4G WAN side was actually working, I did a traceroute to see what the output was.

192.168.2.1 being the 4GEE router gateway.

root@linksys-wrt3200acm:~# traceroute -i eth0.3 ee.co.uk
traceroute to ee.co.uk (54.72.138.208), 30 hops max, 38 byte packets
1 192.168.2.1 (192.168.2.1) 0.640 ms 0.524 ms 0.489 ms
2 192.168.225.1 (192.168.225.1) 2.829 ms 2.587 ms 2.721 ms
3 * * *
4 10.248.29.49 (10.248.29.49) 64.474 ms 22.144 ms 20.225 ms
5 10.247.85.25 (10.247.85.25) 24.692 ms 19.219 ms 22.037 ms
6 10.247.85.6 (10.247.85.6) 18.520 ms 28.545 ms 22.603 ms
7 10.247.85.9 (10.247.85.9) 21.521 ms 21.265 ms 19.252 ms
8 10.247.85.18 (10.247.85.18) 28.417 ms 22.408 ms 25.317 ms
9 87.237.20.220 (87.237.20.220) 33.045 ms 37.725 ms 30.744 ms
10 87.237.20.69 (87.237.20.69) 27.090 ms 26.970 ms 23.940 ms
11 99.82.179.60 (99.82.179.60) 23.674 ms 99.82.179.62 (99.82.179.62) 24.011 ms 26.596 ms
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 150.222.241.236 (150.222.241.236) 74.086 ms 150.222.241.250 (150.222.241.250) 52.155 ms 150.222.241.228 (150.222.241.228) 64.246 ms
19 * * *
20 52.93.6.234 (52.93.6.234) 70.973 ms 52.93.6.136 (52.93.6.136) 59.832 ms 52.93.6.188 (52.93.6.188) 56.512 ms
21 52.93.101.3 (52.93.101.3) 53.125 ms 52.93.101.43 (52.93.101.43) 58.653 ms 52.93.101.41 (52.93.101.41) 51.525 ms
22 52.93.101.0 (52.93.101.0) 55.028 ms 52.93.101.22 (52.93.101.22) 62.552 ms 52.93.101.32 (52.93.101.32) 57.130 ms
23 52.93.7.131 (52.93.7.131) 63.963 ms 52.93.7.153 (52.93.7.153) 57.078 ms 52.93.7.133 (52.93.7.133) 73.788 ms
24 * *^C

The * * * responses aren’t anything to worry about, as it simply means whatever router/device in the path didn’t respond, which is sometimes the case, UDP packets for traceroute can sometimes be filtered or the TTL being too short, but the traffic is still being passed.

A further test to confirm the external WAN address was a quick test with curl:

root@linksys-wrt3200acm:~# curl --interface eth0.3 http://ifconfig.co/ip
213.205.192.45

Which returns an EE 4G IPv4 address. Nice. It’s important to note that the EE IPv4 address isn’t routed to you directly, as it’s a IPv4 through CGNAT, however this is fine for me as this is for outbound traffic purposes, not inbound.

I could leave it there and use it as an IPv4 only WAN connection, but my network have IPv6 and I know EE 4G has IPv6 support, so I next looked at IPv6.

Configuring IPv6

The 4GEE home router is also capable of IPv6, given it’s using the EE 4G network. Looking at various sources, EE 4G broadband is IPv6 enabled, EE’s fibre home broadband doesn’t appear to be yet, much to some groans on the EE community forums. In the admin interface there are a couple of options on the Data connection section, the most interesting one being labelled “Connect IP mode”

Image for post
Image for post
Data connection settings on the 4GEE home router

IPv4v6 is the default setting. A bit of a weird one but IPv6 doesn’t seem to be configured initially in IPv4v6 mode. This is noted by the device status only having an IPv4 address. However I did find, if I switched the Connect IP mode to IPv6, then switch it back to IPv4v6 mode, disconnect and then reconnect using the status page an IPv6 address is then allocated alongside an IPv4. I’m not sure if this is the intended behaviour here. I have reached out to EE for further clarification on this.

Out of interest, I decided to switch the WANB interface to DHCPv6 client for a test, to see if my main router would automatically pick up an IPv6 prefix/route from the 4GEE home router once it was allocated an IPv6 address. Yes, it does! Which is nice. A /64 and /128 IPv6 address was automatically configured on the interface.

However, the problem with changing the WANB interface itself to DHCPv6 is I’ve just broken the IPv4 connectivity and wouldn’t be able to send any IPv4 traffic through the EE WAN anymore, so that’s a problem.

What I ended up doing was configuring the WANB interface as static address, set an IPv4 static address of 192.168.2.2 with a gateway of 192.168.2.1, this maintains the IPv4 route, then I created an alias interface WANB6 off the WANB interface and set that to DHCPv6 client, here’s an example of the interface configuration /etc/config/network

config interface 'wanb6'
option proto 'dhcpv6'
option ifname '@wanb'
option reqaddress 'try'
option reqprefix 'auto'

The key part to this is the ifname using the @ symbol, indicating this as an alias, this then will automatically configure IPv6 obtained from the 4GEE router onto the eth0.3 interface.

It doesn’t look like the 4GEE router will provide anything more than a /64 address so no prefex delegation. Trying to obtain a prefix just returns the same /64. No prefix is delegated, which is a bit of pain.

The IPv6 prefix delegated from EE is not static either, so it’s possible it can change. However providing the 4GEE home router remains connected to the EE 4G network without disconnecting or power loss, it appears the same IPv6 prefix remains allocated, until one of those events occurs.

To confirm the IPv6 connectivity was actually working, I did a similar traceroute test. I’ve partially masked the first hop, given it reveals a IPv6 address associated with my 4GEE router, although I’ve since rotated that prefix.

root@linksys-wrt3200acm:~# traceroute -6 -i eth0.3 ipv6.google.com
traceroute to ipv6.google.com (2a00:1450:4009:816::200e), 30 hops max, 64 byte packets
1 2a01:4c8:c44:3987:xxx:xxx:xxxx:xxxx (2a01:4c8:c44:3987:xxxx:xxxx:xxxx:xxxx) 0.564 ms 0.720 ms 0.617 ms
2 * * *
3 2a01:4c8:f800:d2e:: (2a01:4c8:f800:d2e::) 31.993 ms 68.005 ms 40.470 ms
4 2a01:4c8:f800:d01::1 (2a01:4c8:f800:d01::1) 39.374 ms 38.046 ms 38.236 ms
5 2a01:4c8:f800:d02::4 (2a01:4c8:f800:d02::4) 41.572 ms 23.442 ms 40.525 ms
6 2a01:4c8:f800:d03::1 (2a01:4c8:f800:d03::1) 48.821 ms 36.292 ms 35.515 ms
7 2a01:4c8:f800:d04::2 (2a01:4c8:f800:d04::2) 39.272 ms 60.842 ms 31.439 ms
8 2a01:4c8:f800:8217:: (2a01:4c8:f800:8217::) 39.026 ms 62.315 ms 40.605 ms
9 2a01:4c8:f800:8041::2 (2a01:4c8:f800:8041::2) 43.537 ms 43.335 ms 38.241 ms
10 2001:4860:1:1:0:3120:0:a (2001:4860:1:1:0:3120:0:a) 42.052 ms 23.263 ms 26.047 ms
11 2a00:1450:8070::1 (2a00:1450:8070::1) 23.804 ms 2a00:1450:8103::1 (2a00:1450:8103::1) 39.663 ms 2a00:1450:8032::1 (2a00:1450:8032::1) 39.380 ms
12 2001:4860:0:1::1d8c (2001:4860:0:1::1d8c) 26.697 ms 2001:4860:0:1::1d86 (2001:4860:0:1::1d86) 49.441 ms 2001:4860:0:135e::1 (2001:4860:0:135e::1) 37.000 ms
13 * 2001:4860:0:135d::12 (2001:4860:0:135d::12) 57.922 ms *
14 lhr25s25-in-x0e.1e100.net (2a00:1450:4009:816::200e) 54.751 ms 22.599 ms 40.034 ms

Looking good, now we’ve got a secondary WAN with IPv4 and IPv6 connectivity!

But wait… A weird issue that I came across is some IPv6 sites work fine. Others just fail with:

traceroute6: can't connect to remote host: Permission denied

This happens with ping6, curl and other network tools and I honestly couldn’t figure out why. I ended up stumbling on the answer from the OpenWrt forums:

https://forum.openwrt.org/t/ping-and-traceroute-failing-for-eth0-3-on-ipv6/44680

It appears to be specifically related to OpenWrt not being able to correctly select the source address for the right interface in some cases. The workaround was to add this additional route to /etc/config/network.

config route6
option interface 'wanb6'
option target '::/0'

My router now has connectivity through IPv6 on the second WAN, but this not available to my LAN, because there is no prefix to delegate across. I did try looking at NDP and relaying the existing /64 address space which did seem to work (kind of) but was very unreliable and kept breaking. In the end I had to do something slightly controversial and use NAT66. I talk about why I did this in another article.

I have asked EE for further comment regarding the IPv6 prefix that is allocated to the 4GEE home router. My suspicions are it’s a single /64 based on what I’m seeing. I doubt they can offer something like /56 or even a /60.

Configuring WAN failover

So we now have a secondary WAN connection available, how can you then setup failover? This is possible by using something called mwan3, which is designed to route traffic over one or more WAN interfaces, by defining policies and rules for traffic.

My use case is essentially I only want to use the EE 4G WAN when my Virgin Media connection goes down for whatever reason and for convenience route any ee.co.uk related site through EE itself, which has the advantage of having a consistent test to confirm WANB is working and I also avoid the annoying prompts of “Disconnect from WiFi or your VPN to see you usage info” from the 4GEE router or mobile app if I just send it through EE directly! Ha.

The documentation for mwan3 is fairly comprehensive and it’s inner workings explained in detail on the OpenWrt wiki:

An example configuration of having WAN and WANB in a failover scenario with IPv6 support would be something like the default config that ships with the latest mwan3, you can of course adapt this to your needs.

config globals 'globals'
option mmx_mask '0x3F00'
option rtmon_interval '5'

config interface 'wan'
option enabled '1'
list track_ip '8.8.4.4'
list track_ip '8.8.8.8'
list track_ip '208.67.222.222'
list track_ip '208.67.220.220'
option family 'ipv4'
option reliability '2'
option count '1'
option timeout '2'
option failure_latency '1000'
option recovery_latency '500'
option failure_loss '20'
option recovery_loss '5'
option interval '5'
option down '3'
option up '8'

config interface 'wan6'
option enabled '0'
list track_ip '2001:4860:4860::8844'
list track_ip '2001:4860:4860::8888'
list track_ip '2620:0:ccd::2'
list track_ip '2620:0:ccc::2'
option family 'ipv6'
option reliability '2'
option count '1'
option timeout '2'
option interval '5'
option down '3'
option up '8'

config interface 'wanb'
option enabled '0'
list track_ip '8.8.4.4'
list track_ip '8.8.8.8'
list track_ip '208.67.222.222'
list track_ip '208.67.220.220'
option family 'ipv4'
option reliability '1'
option count '1'
option timeout '2'
option failure_latency '1000'
option recovery_latency '500'
option failure_loss '20'
option recovery_loss '5'
option interval '5'
option down '3'
option up '8'

config interface 'wanb6'
option enabled '0'
list track_ip '2001:4860:4860::8844'
list track_ip '2001:4860:4860::8888'
list track_ip '2620:0:ccd::2'
list track_ip '2620:0:ccc::2'
option family 'ipv6'
option reliability '1'
option count '1'
option timeout '2'
option interval '5'
option down '3'
option up '8'

config member 'wan_m1_w3'
option interface 'wan'
option metric '1'
option weight '3'

config member 'wan_m2_w3'
option interface 'wan'
option metric '2'
option weight '3'

config member 'wanb_m1_w2'
option interface 'wanb'
option metric '1'
option weight '2'

config member 'wanb_m2_w2'
option interface 'wanb'
option metric '2'
option weight '2'

config member 'wan6_m1_w3'
option interface 'wan6'
option metric '1'
option weight '3'

config member 'wan6_m2_w3'
option interface 'wan6'
option metric '2'
option weight '3'

config member 'wanb6_m1_w2'
option interface 'wanb6'
option metric '1'
option weight '2'

config member 'wanb6_m2_w2'
option interface 'wanb6'
option metric '2'
option weight '2'

config policy 'wan_only'
list use_member 'wan_m1_w3'
list use_member 'wan6_m1_w3'

config policy 'wanb_only'
list use_member 'wanb_m1_w2'
list use_member 'wanb6_m1_w2'

config policy 'balanced'
list use_member 'wan_m1_w3'
list use_member 'wanb_m1_w2'
list use_member 'wan6_m1_w3'
list use_member 'wanb6_m1_w2'

config policy 'wan_wanb'
list use_member 'wan_m1_w3'
list use_member 'wanb_m2_w2'
list use_member 'wan6_m1_w3'
list use_member 'wanb6_m2_w2'

config policy 'wanb_wan'
list use_member 'wan_m2_w3'
list use_member 'wanb_m1_w2'
list use_member 'wan6_m2_w3'
list use_member 'wanb6_m1_w2'

config rule 'https'
option sticky '1'
option dest_port '443'
option proto 'tcp'
option use_policy 'balanced'

config rule 'default_rule'
option dest_ip '0.0.0.0/0'
option use_policy 'balanced'

https://github.com/openwrt/packages/blob/master/net/mwan3/files/etc/config/mwan3

For my personal usage, I remove the balanced policy and simply used the wan_wanb, wanb_wan, wan_only and wanb_only policies. You can add additional rules before the https and default rule as required, these are just the example rules defined.

Performance and speed tests

As the 4GEE home router is 4G (that’s pretty obvious by now right?!), it’s bound by a few things:

  1. Signal strength to the mobile network (nearest mast in my area)
  2. Maximum speeds of 4G itself (somewhat tied to point one)
  3. WiFi performance between client and router (Although this isn’t applicable to me for my use case)
  4. Monthly data caps based on the set data plan (mine is 100GB)

Doing a speedtest from the LAN2 port (given I’m not using the WiFi functionality at all), the test result was quite respectable.

Image for post
Image for post
EE 4G speed test from LAN2 port no additional antennas

The download speed certainly beats some of the lower tier fixed broadband providers. The upload isn’t too bad either, though I think I might be able to get a bit more. The upload speed is ironically slightly better than my Virgin Media 100/10 Mbps line, so there’s that. I have noticed that the signal strength according to the 4GEE router is on the low side (1–2 bars), so I purchased an additional two 9dBi SMA Male antennas. It did make some improvement in terms of the visual signal indicator at times, but it was still quite low signal. I decided to place the 4GEE home router in various locations in my house to see if there were better signal spots. There were. I found placing my 4GEE router in the upstairs of my house yielded full signal and this improved the upload speed.

Image for post
Image for post
4GEE home router speed test after moving the device for better signal

This new location however, presents a challenge because I need to have both my main router and 4GEE home router linked via the VLAN I originally setup and now they are in two different parts of my house! I ended up purchasing some additional powerline ethernet adapters to create a dedicated wired link between the two again, so I could have the 4GEE router in a different location and not having to be directly tied to my main router downstairs (where signal strength is quite poor). Fortunately, despite concerns with using powerline ethernet adapters (potentially messing with the VLAN traffic), they seem to pass through the traffic fine.

It’s worth noting, you can also purchase a compatible external antenna (designed to be mounted on the outside of your home) which the 4GEE router can use. EE themselves offer this service for £100.00, however this is generally for people that live in rural areas with limited coverage. For me I’m not in a bad area for 4G coverage, it’s just a case of placement within my home seems to have a dramatic effect on the signal strength.

Is it worth doing this with a 4GEE home router?

It depends. If you’re just looking for a basic solution to have internet connectivity if you primary WAN connection goes down, you could just have the 4GEE home router as a wireless access point. However, if you want to avoid having to reconfigure your devices and want to also allow your whole LAN to benefit, then having a second WAN is beneficial and doing it with the 4GEE home router was reasonably straightforward in the end with a few quirks. There are certainly other ways to achieve what I’ve done and likely at lower cost.

Cost break down:

4GEE home router + 4G SIM 100 GB per month
£35.00 x 18 months = £630.00

EE 4G SIM only 100 GB data (without the 4GEE home router)
£18.00 x 18 months = £324.00

Costs above accurate at the time of publication.

The SIM only deal being £18.00 rather than £20.00 for existing customers at the time of writing.

Roughly speaking you can see that approximately £306‬.00 of the cost is from the 4GEE home router alone over an 18 month period, which is a lot for an ISP provided router. You can almost certainly find a 4G capable router/modem which you can insert an EE 4G SIM into for less than this, but an absolute requirement for me was to have ethernet, some won’t.

Another alternative would have been to get an additional fixed broadband line from someone like BT, however these days the contract lengths look to be a minimum of two years and with being a customer of EE already for mobile, I get more data by taking out a second line and also have move my 4G data allocation between two devices (data sharing).

Breaking down the costs for the 4GEE home router, it is quite steep for what you get so maybe 4G broadband is not for everyone and as I prefixed this in the beginning there are alternative options available, i.e. purchasing as SIM only and then buying another 4G modem separately, but you’ve got to factor in the upfront costs for the hardware and additional complexity etc. My decision was mostly lead by convenience and the benefits/perks you get of having multiple lines with an existing provider.

However if anyone else does happen to use the 4GEE home router as backup connection and is a bit more technical than the average user of this product, I hope this helps others!

Update 23/04/2020: I have asked EE a few questions regarding the IPv6 configuration on the 4GEE home router just to see if I can figure out some of questions that remain. The questions I have asked are:

  1. The behaviour I’m seeing with IPv4v6 mode. Why doesn’t IPv4v6 allocate an IPv6 prefix automatically, without having to force it by switching the IP Connect mode setting and disconnecting/reconnecting.
  2. What IPv6 prefix gets assigned to the 4GEE home router (I suspect it’s a single /64). I cannot confirm it, as the OpenWrt side of the 4GEE home router is locked away. I wish the SSH access was still available!

Written by

I'm a web developer, but also like writing about technical networking and security related topics, because I'm a massive nerd!

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store