Create a Backup Mobile Data WAN for Your Small Business / Home Networkeric

The Problem

For small businesses and home offices, internet downtime is painful. When your primary NBN connection goes down — whether it's a cable fault, an ISP outage, or a modem failure — everything grinds to a halt. Emails stop, video calls drop, cloud tools become unreachable.

The obvious fix is a backup WAN connection, but most solutions involve:

• A dedicated 4G/5G router (~$200–$500)
• A second SIM card with a separate data plan (~$20–$50/month)

That's recurring cost for something you only need occasionally.

The Better Solution: Use Your Existing Phone

Here's the insight: you almost certainly already have a mobile phone on a plan that includes data. When NBN goes down, that phone in your pocket already is a backup internet connection — you just need a way to share it with your whole network instead of just your phone.

Android's USB tethering feature turns your phone into a USB network adapter. Plug it into a Linux box and it appears as a regular ethernet interface (usb0). From there, you can route your entire network's traffic through it.

What this costs you:

• An old PC, mini PC, or single-board computer (even a Raspberry Pi works) — something you may already have spare
• A USB cable
• Your existing phone and mobile plan
• No extra SIM, no extra monthly bill

Architecture

The setup uses a dedicated Alpine Linux box (we'll call it mg) sitting on your LAN alongside your primary NBN router.

Copy Normal (NBN up):
  Clients → mg (192.168.8.99) → NBN router (192.168.8.1) → Internet

Failover (NBN down):
  Clients → mg (192.168.8.99) → usb0 (Android phone) → Mobile Internet

Clients point their default gateway to mg. When NBN is up, mg transparently forwards traffic to the NBN router. When NBN fails, you run one command on mg and it switches to routing via the phone. Clients don't change anything.

Requirements

• A PC or mini box with at least one ethernet port, running Alpine Linux
• An Android phone with USB tethering capability (virtually all modern Android phones)
• A USB cable (USB-A to USB-C or Micro-USB depending on your phone)
• SSH access to the Alpine box

Step 1: Install iptables

Alpine Linux is minimal by default. Install iptables for NAT:

Copy sudo apk add iptables

Step 2: Enable IP Forwarding

The box needs to forward packets between interfaces like a router:

Copy echo "net.ipv4.ip_forward = 1" | sudo tee /etc/sysctl.d/99-forwarding.conf
sudo sysctl -w net.ipv4.ip_forward=1

Step 3: Add USB Interface to Network Config

When Android USB tethering is active, it appears as usb0. Tell Alpine to obtain a DHCP address from the phone on that interface:

Copy sudo tee -a /etc/network/interfaces > /dev/null << 'EOF'

# USB tethering (Android backup WAN)
iface usb0 inet dhcp
EOF

The kernel modules rndis_host and cdc_ether handle Android USB tethering. On a standard Alpine install with a reasonably modern kernel, these are already present and loaded automatically when the phone is plugged in with tethering enabled.

Step 4: iptables Rules at Boot

Create a startup script that sets up NAT and forwarding rules every time the machine boots:

Copy sudo tee /etc/local.d/wan-setup.start > /dev/null << 'EOF'
#!/bin/sh
# WAN gateway iptables setup

sysctl -w net.ipv4.ip_forward=1

# FORWARD chain — drop by default, allow LAN traffic out via either WAN
iptables -P FORWARD DROP
iptables -F FORWARD
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth0 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o usb0 -j ACCEPT

# NAT — masquerade outbound on both WAN paths
iptables -t nat -F POSTROUTING
iptables -t nat -A POSTROUTING -o eth0 ! -d 192.168.8.0/24 -j MASQUERADE
iptables -t nat -A POSTROUTING -o usb0 -j MASQUERADE
EOF

sudo chmod +x /etc/local.d/wan-setup.start
sudo rc-update add local default

Apply the rules immediately without rebooting:

Copy sudo sh /etc/local.d/wan-setup.start

Why MASQUERADE on eth0? When mg forwards a client's packet to the NBN router, without masquerading the source IP is the client's (e.g. 192.168.8.50). The NBN router sends the reply directly back to that client, bypassing mg — breaking the connection tracking. MASQUERADE rewrites the source to mg's own IP (192.168.8.99), so all return traffic flows back through mg correctly.

Step 5: The Failover Script

This script handles detecting whether the primary WAN is up and switching routes accordingly. Save it to /usr/local/bin/wan-failover.sh:

Copy sudo tee /usr/local/bin/wan-failover.sh > /dev/null << 'EOF'
#!/bin/sh
# wan-failover.sh — WAN failover between NBN (eth0) and USB tethering (usb0)
# Usage: wan-failover.sh [auto|primary|backup|status|check]

PRIMARY_GW="192.168.8.1"
LAN_IFACE="eth0"
USB_IFACE="usb0"
CHECK_HOST="8.8.8.8"
CHECK_HOST2="1.1.1.1"
STATE_FILE="/var/run/wan-mode"
LOG="/var/log/wan-failover.log"

log() {
    printf '%s %s\n' "$(date '+%Y-%m-%d %H:%M:%S')" "$1" | tee -a "$LOG"
}

get_mode() {
    cat "$STATE_FILE" 2>/dev/null || echo "primary"
}

check_primary_wan() {
    # Force the check through the primary gateway by adding temporary host routes.
    # This ensures the test uses eth0 even if the current default route is via usb0.
    ip route replace "${CHECK_HOST}/32" via "$PRIMARY_GW" dev "$LAN_IFACE" 2>/dev/null
    ping -c 3 -W 2 "$CHECK_HOST" > /dev/null 2>&1
    result=$?
    ip route del "${CHECK_HOST}/32" 2>/dev/null

    if [ $result -ne 0 ]; then
        ip route replace "${CHECK_HOST2}/32" via "$PRIMARY_GW" dev "$LAN_IFACE" 2>/dev/null
        ping -c 3 -W 2 "$CHECK_HOST2" > /dev/null 2>&1
        result=$?
        ip route del "${CHECK_HOST2}/32" 2>/dev/null
    fi
    return $result
}

bring_up_usb() {
    if ! ip link show "$USB_IFACE" > /dev/null 2>&1; then
        log "ERROR: $USB_IFACE not found — enable USB tethering on the phone first"
        return 1
    fi
    ip link set "$USB_IFACE" up
    udhcpc -i "$USB_IFACE" -q -n -t 5 > /dev/null 2>&1
    ip addr show "$USB_IFACE" | grep -q 'inet ' && return 0
    log "ERROR: Failed to get DHCP lease on $USB_IFACE"
    return 1
}

clear_default_routes() {
    # Remove all current default routes to start clean
    while ip route del default 2>/dev/null; do :; done
}

switch_to_backup() {
    log "Primary WAN DOWN — switching to USB backup..."
    bring_up_usb || return 1

    USB_GW=$(ip route show dev "$USB_IFACE" | awk '/^default/{print $3}' | head -1)
    if [ -z "$USB_GW" ]; then
        log "ERROR: Could not determine USB gateway IP"
        return 1
    fi

    clear_default_routes
    ip route add default via "$USB_GW" dev "$USB_IFACE" metric 10
    echo "backup" > "$STATE_FILE"
    log "Routing via USB ($USB_GW). Mode: BACKUP"
}

switch_to_primary() {
    log "Primary WAN UP — switching back to NBN..."
    clear_default_routes
    ip route add default via "$PRIMARY_GW" dev "$LAN_IFACE" metric 1
    echo "primary" > "$STATE_FILE"
    log "Routing via $PRIMARY_GW. Mode: PRIMARY"
}

status() {
    printf 'Mode:     %s\n' "$(get_mode)"
    printf 'Default:  '; ip route show default
    printf 'eth0:     '; ip addr show "$LAN_IFACE" | awk '/inet /{print $2}'
    if ip link show "$USB_IFACE" > /dev/null 2>&1; then
        printf 'usb0:     '; ip addr show "$USB_IFACE" | awk '/inet /{print $2}'
    else
        printf 'usb0:     not present\n'
    fi
}

case "${1:-auto}" in
    auto)
        mode=$(get_mode)
        if check_primary_wan; then
            if [ "$mode" = "backup" ]; then
                switch_to_primary
            else
                log "Primary WAN OK"
            fi
        else
            if [ "$mode" = "primary" ]; then
                switch_to_backup
            else
                log "Primary WAN still DOWN, staying on backup"
            fi
        fi
        ;;
    primary)  switch_to_primary ;;
    backup)   switch_to_backup ;;
    status)   status ;;
    check)
        if check_primary_wan; then echo "Primary WAN: UP"
        else echo "Primary WAN: DOWN"; fi
        ;;
    *)
        echo "Usage: $0 [auto|primary|backup|status|check]"
        exit 1
        ;;
esac
EOF

sudo chmod +x /usr/local/bin/wan-failover.sh

Step 6: Point Clients to mg

For each machine on your network that you want covered by the failover, change its default gateway from the NBN router's IP to mg's IP (192.168.8.99).

• Windows: Network adapter settings → IPv4 → Default gateway
• macOS: System Settings → Network → Details → TCP/IP → Router
• Linux: See below

Alternatively, do it centrally: log into your NBN router's admin page and change the DHCP gateway option to 192.168.8.99. All clients pick this up on their next DHCP renewal with no per-machine changes required.

Linux: Gateway Switcher Scripts

On Linux, DHCP may leave behind its own default route when you try to change the gateway, resulting in two conflicting defaults. The safest approach is to flush all default routes first, then add the one you want.

Create two convenience scripts in ~/bin/:

~/bin/gw-backup — switch to mg (backup WAN):

Copy #!/bin/bash
while sudo ip route del default 2>/dev/null; do :; done
sudo ip route add default via 192.168.8.99 dev enp2s0 metric 100
echo "Gateway → mg (192.168.8.99) [backup WAN]"
ip route show default

~/bin/gw-primary — switch back to NBN router:

Copy #!/bin/bash
while sudo ip route del default 2>/dev/null; do :; done
sudo ip route add default via 192.168.8.1 dev enp2s0 metric 100
echo "Gateway → NBN router (192.168.8.1) [primary WAN]"
ip route show default

Make them executable:

Copy chmod +x ~/bin/gw-backup ~/bin/gw-primary

Then switching is just:

Copy gw-backup    # route via mg when NBN is down
gw-primary   # route via NBN router when NBN is back

Note: Replace enp2s0 with your actual interface name (ip link show to check). These changes are not persistent across reboots or DHCP renewals — run the script again if needed.

Using the Failover Script

Copy wan-failover.sh            # auto: check primary WAN, switch if needed
wan-failover.sh check      # test if primary WAN is up (without switching)
wan-failover.sh status     # show current mode and interface IPs
wan-failover.sh backup     # manually force switch to phone
wan-failover.sh primary    # manually force switch back to NBN

When NBN Goes Down: Step by Step

1. Enable USB tethering on your Android phone

On your phone: Settings → Network & Internet → Hotspot & Tethering → USB Tethering (on)

Plug the phone into mg via USB.

2. SSH into mg and switch to backup

Copy ssh mg
sudo wan-failover.sh backup

3. Verify

Copy sudo wan-failover.sh status
ping 8.8.8.8

You should see usb0 with an IP address and pings going through. Clients on the network are now using mobile data transparently — no changes needed on their end.

4. When NBN comes back

Copy sudo wan-failover.sh primary

Clients resume using NBN automatically.

How It Works Under the Hood

When you run wan-failover.sh backup, the script:

1. Checks usb0 exists (phone is plugged in with tethering on)
2. Brings the interface up and runs udhcpc to get a DHCP lease from the phone
3. Reads the gateway IP assigned by the phone (typically 192.168.42.129)
4. Flushes all existing default routes, then adds a single clean one: ip route add default via 192.168.42.129 dev usb0

The flush step matters. When udhcpc gets a lease it automatically injects its own default route. Without clearing first, you end up with two default routes — the old primary and the new backup — and the kernel picks whichever has the lower metric, which may not be what you want. The clear_default_routes loop removes all of them before adding the correct one.

Android's USB tethering uses the RNDIS protocol, which the rndis_host kernel module handles. The phone acts as both a DHCP server and a NAT gateway to the mobile network. From the kernel's perspective, usb0 is just another ethernet interface.

The check_primary_wan function tests internet reachability through the primary gateway specifically — even if the default route is already pointing at usb0. It does this by temporarily injecting a host-specific route (8.8.8.8/32 via 192.168.8.1), pinging, then removing it. This prevents the check from falsely succeeding via the backup connection while testing the primary.

Keeping Costs at Zero

The entire ongoing cost of this solution is zero. Your phone's existing mobile plan absorbs the data usage during outages. Most modern plans include more than enough data for light business use — email, web browsing, cloud tools for a small team — for the duration of a typical NBN outage.

Contrast this with a dedicated 4G router plus a SIM plan that costs money every single month regardless of whether your NBN ever goes down.

Conclusion

A spare computer, Alpine Linux, a USB cable, and a phone you already own is all it takes to give your home or small business network a solid backup WAN. The setup is straightforward, the failover is a single command, and the ongoing cost is nothing.

For the occasional outage — which is exactly the scenario most small businesses and home offices face — this is hard to beat.