Inbound 4g LTE vpn failover

Does anyone know how to set up a secondary inbound connection to a firebox using a 4g lte router ?

We have poor internet and a number of remote users and that number is about to increase and so I want to have some users come in through one connection and other users come in via a different connection.

The second connection is a 4g LTE connection with good Internet speeds but I can’t get my head around setting it up because all I have is the ability to use DMZ as I can’t put the 4g router into bridged / modem only mode as the firebox doesn’t seem to be able to do NAT or know how to authenticate.

I have set up DDNS on the 4g LTE so users can hit the router but stuck on how to route the traffic after that.

I have, let’s say, the IP address of LTE as and I have put the DMZ port as

I have the firebox as a static IP with address and gateway as

That seems to work with regards flow of traffic but I can’t get mobile SSL VPN users to get to the firebox. Does the 4g LTE connection have to be EXTERNAL, OPTIONAL or BRIDGE ?

Do I have to set a new SSL VPN firewall rule or just amend the current one to set the 4g LTE connection as a new inbound connection ?

I am not concerned about internal traffic going out via the 4g, only interested in getting remote users connected to the firebox via SSL VPN via the 4g router.

All help appreciated.


  • Options

    A SSLVPN connection should work from an External, Trusted or Optional interface.
    I can connect from a PC connected to my firewall's trusted interface and from External, without issues.
    Just make sure that the interface name or alias is in the From: field of the WatchGuard SSLVPN policy.
    For your case, Optional would be a good type to try.
    Your main issue will be knowing the public IP addr of the 4g LTE modem.

  • Options

    Also what brand of 4g LTE modem do you have, and from what ISP ?

  • Options

    Thanks for your comments Bruce.
    I have a TP Link 4G LTE router which uses the 3 network here in the UK (in case you are not in the UK)
    I'll try the FROM part but I'm not sure I'm even getting to the 4G router.
    If I have the DMZ enabled, is it passing all traffic or do I have to put a port forwarding rule on the TP-Link to point to the designated DMZ IP address in order to get the data to flow.

    What I mean is, if I am using port 444 for SSL VPN connection do I need to tell my mobile SSL VPN software to point to the DDNS which is programmed into the TP-Link and do I then tell the TP-Link to port forward to the DMZ port and from there the firebox takes over ?



  • Options

    There should be no port restrictions when your firewall is connected to the TP Link DMZ interface and with the firewall's external interface IP addr set in the DMZ Host IP Address field of the TP Link.

    You can turn on diagnostic logging for SSLVPN which may show something to help, and should show any connection attempts:
    In WSM Policy Manager: Setup -> Logging -> Diagnostic Log Level -> VPN -> SSL
    In the Web UI: System -> Diagnostic Log
    Set the slider to Information or higher

  • Options
    edited February 2020

    Hi Tango, not sure if you still need help with this, or you worked it out. The way I did it (on my Firebox T35) was to set my eth3 port as an external port (labelled it 4G), then plug my 4G in on that port. You would then need to change your IP on that port to (to match your DMZ setting in the TP-Link) with the gateway as - if you have global DNS you should be fine, but you may need to set this up as well.

    Some devices are funny and DMZ does NOT mean forward all traffic. I have a TP-link MR6400 and the DMZ is fine and works, but you could also have a port forwarding rule(s) that has all traffic go to that static IP.

  • Options


    did you have to put additional forwarding on the firebox?

    I'm in the same situation and using a Firebox T50-W and a TP-Link Archer MR600.

    On the firebox I put on port as external interface and set it with
    IP and gateway
    On the tplink I put as LAN address and as DMZ host
    I then configured dynamic DNS on the tplink but it does forward port 443 which listens for SSL VPN connections for example.
    I even added a virtual server entry but it did not work.
    Any suggestions you might think ?
    Thanks a lot.

  • Options

    Hi all,

    in case it might help somebody, in my case the 4G router showed
    a private IP address in the connection information page.
    That means the SIM card used is only meant for browsing
    the internet and does not accept incoming connections so
    DMZ and port forwarding will not work unless you call the ISP
    and tell them your needs.

    Look up the red text here:


Sign In to comment.