Sophos XG Firewall LTE Backup

I work a good bit from my home office so obviously internet access is pretty important – so important that I have 2 carriers: Comcast via coax and AT&T via bonded pair DSL. As you may also know, I use the Sophos XG firewall home edition as a full-featured firewall and internet gateway – the conversion from Sophos UTM to XG was a bit tricky due to the UI of XG being…let’s just say not that great. That has since changed, and the XG handles multiple internet connection failover well with little to no interruption in service.

So everything was going great as far as internet service was concerned…until…you know…hurricane Irma happened.

The solution to this was to use my hotspot…but that only goes so far since I’m only connecting my workstation or laptop. Then I had the idea to use a spare system I had and bridge the wireless hotspot to ethernet connection and plug that into the firewall. This worked surprisingly well, but I didn’t really like having another system between the firewall and the hotspot. Then I started digging in the XG UI and found there is a wireless WAN\LTE capability built right in!

Configuring Sophos XG for LTE

Note that WWAN is disabled by default and will confirm that you want to enable the feature. So my plan (yes) was to use USB tethering rather than WIFI hotspot, and to be honest, I was pretty skeptical that this was even going to work, but could always go back to wireless\ethernet bridging if needed. Note that the default configuration for the WWAN interface (screenshot above) is Dial-up PPP – for USB tethering this needs to be switched to Network Adapter (DHCP) as the device gives out an internal hotspot IP address. There are several additional settings depending on the type of modem – username\password, SIM PIN code, APN, initialization strings, etc – but these are not needed for this configuration. When you enable WWAN, you will see an additional interface added:

What was the device I was using to tether you ask? Why it was a spare Nexus 6 with an unlimited plan 🙂

Did it actually work when I plugged it in via USB?

Yeap.

How? No idea.

And once the phone was recognized, simply select ‘Connect’ and sure enough, internet service came right up!

So why do this when I could just use bridging and WIFI hotspot? For one, this is a much simpler configuration than having another hop via a system bridging the connection. But also, XG knows that this is cellular WAN and is a metered connection, so as long as you are connected, it will track bytes used.

Another thing I will note is that you are going to want to put a traffic shaping policy for all devices except the workstation that you want to have the majority of access to bandwidth. If your network is anything like mine, there are NUMEROUS devices on the network trying to get any internet access possible, and cellular WAN is not great for that…especially after a hurricane when everyone else is trying to use cellular data.

Sophos XG continues to amaze me – in this case using cellular WAN as a backup worked completely out of the box with no issues!

Leave a Reply