Backup Internet and Failover for Business

Why backup internet is worth it

Outage causes in order of frequency:

• ISP last-mile faults. Cable cut by construction, fiber damaged by lightning, DSL cabinet equipment failure. Repair time: 4 hours to multiple days.
• ISP network outages. Routing problems, equipment failure in carrier infrastructure. Repair time: 30 minutes to several hours.
• Local power outages. Modem and router lose power. Repair time: hours.
• On-site equipment failure. Modem, router, or switch dies. Repair time: hours to days depending on parts.
• Maintenance windows. Planned ISP work, sometimes longer than announced.

For most SMBs, 1-2 outages per year is typical. A multi-hour outage during business hours can cost more than a year of backup internet.

Three architectures for backup internet

1. Cold standby

A second ISP connection sitting idle, ready to be patched in when primary fails. Cheapest option in terms of equipment but requires manual intervention.

Practical version: a 5G/LTE router with a basic data plan, kept powered and configured. When the primary goes down, an employee plugs the 5G router's Ethernet output into the network's gateway port.

Pros: cheap. Cons: requires a person on-site, doesn't help for after-hours outages.

2. Dual-WAN with automatic failover

The router (a dual-WAN model or SD-WAN appliance) has two WAN ports, one connected to each ISP. The router monitors the primary connection continuously; when it fails, the router automatically routes all traffic over the backup.

This is the standard pattern for most SMBs. Equipment options:

• Built-in dual-WAN routers. Most business-grade firewalls (Ubiquiti UDM-Pro, FortiGate 40F+, Meraki MX67+) have dual-WAN as a standard feature.
• Dedicated SD-WAN appliances. Cradlepoint, Peplink, Cisco Meraki MX with SD-WAN licensing.
• Software routers. pfSense and OPNsense both support dual-WAN with extensive policy options.

3. Active-active with load balancing

Both WAN connections are used simultaneously — outbound traffic load-balances across both. When one fails, all traffic shifts to the other transparently. No "failover" event; just degraded capacity.

More complex to configure than failover but eliminates the failover delay. Most useful for offices that can use the aggregate bandwidth of both links during normal operation.

What backup connection to use

The key principle: maximize infrastructure diversity. Two cable connections from the same provider provide little resilience — they share cabinet, headend, and provider network. Cable + 5G or Fiber + 5G uses completely different last-mile infrastructure and carrier paths.

5G/LTE failover routers

The dominant backup pattern for SMBs in 2026. A dedicated cellular router with a SIM card and antennas, ready to take over when wireline fails. Popular products:

• Cradlepoint E300 / E3000. Enterprise-class; 5G; SD-WAN features built in. $1500-3500.
• Peplink MAX BR1 Pro 5G. Multi-modem support; integrated failover. $1000-2500.
• Mikrotik LTE/5G routers. Budget-friendly; capable. $300-800.
• Sierra Wireless / Inseego routers. Mid-market options.

Data plans:

• Verizon Business Internet 5G: Unlimited plans starting $69/month with priority access in some areas.
• T-Mobile 5G Business Internet: Unlimited plans $50-100/month.
• AT&T Business Wireless: Backup plans starting around $40-50/month for limited data.
• MVNOs (Mint, US Mobile): Cheaper but with deprioritized data — slower during peak.

For pure backup use, even a 20 GB monthly cap is usually enough — a 10-person office only uses the backup during outages, which is a few hours per month. Don't overpay for unlimited if backup-only is the goal.

Failover detection: pings, not link status

The router needs to detect that the primary connection has failed and trigger the switch. Bad approach: monitor only the physical Ethernet link to the modem. This misses the common case where the modem is up but the ISP's upstream is broken.

Good approach: continuously ping (or HTTP-probe) targets on the public internet through the primary WAN. If pings fail repeatedly, switch to backup. Standard configuration:

• Probe targets: Two or three reliable external IPs (8.8.8.8, 1.1.1.1, your CDN's anycast IP).
• Probe interval: 5-10 seconds.
• Failure threshold: 2-3 consecutive missed probes before switching.
• Recovery threshold: 3-5 consecutive successful probes before switching back.

This gives 15-30 second failover detection and avoids flapping during brief blips.

The IP address problem during failover

When you switch to backup WAN, your public IP changes. Three implications:

Outbound: mostly works

NAT handles outbound — existing connections drop and reconnect on the new IP, then everything works again.

Inbound: needs DNS

Inbound services pointed at the primary IP stop working. Options:

• Dynamic DNS services that update DNS records when the IP changes. Slow propagation (DNS TTL).
• Route 53 health checks (or equivalent) with failover routing policies. Detect primary IP down; switch DNS to backup IP within minutes.
• Reverse proxy at a cloud provider (Cloudflare Tunnel, Tailscale Funnel) that always has the same public address regardless of your WAN IP changing.

VPN endpoints: reconnect needed

Remote workers connected via VPN to your office gateway will disconnect when the IP changes. They need to reconnect, possibly to a different IP/hostname.

For mission-critical inbound services, the cleanest solution is a cloud-fronted gateway (Cloudflare Tunnel, ngrok Enterprise, Tailscale) that handles the public-facing presence independently of which WAN you're actually using.

SD-WAN: the smarter dual-WAN

Basic dual-WAN switches all traffic to the backup when primary fails. SD-WAN does more:

• Application-aware routing. Voice traffic goes over the low-latency link; bulk downloads go over the high-bandwidth one. Both links used simultaneously, intelligently.
• Sub-second failover. Sessions can be steered between links without dropping (with tunneling).
• Encrypted tunnels. Connections to other sites or cloud are encrypted regardless of WAN path.
• Per-application policies. "Voice always over fiber; Salesforce over either; backups over 5G when fiber is loaded."
• Central management. All sites managed from one dashboard.

SD-WAN matters most for multi-site businesses replacing MPLS. For a single-office SMB, basic dual-WAN is usually adequate; SD-WAN is overkill.

BGP-based redundancy (the enterprise pattern)

Larger businesses with their own IP space and ASN can run BGP at the edge — announcing the same IP space to both ISPs. Both ISPs route inbound traffic to the same IPs; BGP routes around failures. This is the "real" multi-homing pattern.

Requirements:

• Your own IPv4 block (/24 minimum for global routing).
• Your own ASN from ARIN/RIPE/etc.
• BGP-capable edge router.
• BGP peering with both ISPs (most business plans don't allow this; specific BGP services do).

Cost and complexity make this the wrong choice for under-100-user SMBs. The threshold for justifying BGP is roughly when downtime cost exceeds $500/hour and you have IT capacity to manage it.

Don't forget UPS

Internet redundancy is useless if local power dies. Every network closet should have a UPS sized for at least 15-30 minutes of runtime on the gateway, switch, primary APs, modem, and the 5G failover router. Without UPS, a 5-second power blip takes the entire office offline for the duration of equipment reboot — often longer than the actual power outage.

Common sizing for SMB stack:

• 1000 VA UPS ($200-400) — covers ~200W of equipment for 30 minutes. Good for typical office network closet.
• 1500-2200 VA UPS ($350-700) — extends runtime or covers more equipment.
• Generator for sites that absolutely cannot go dark — adds substantial cost but extends runtime indefinitely with fuel.

Testing failover

Untested failover is theoretical. Schedule regular tests:

• Once per quarter, unplug the primary WAN for 5 minutes during business hours.
• Verify the failover actually triggers within 30 seconds.
• Verify that key services (VoIP, payment processing, video calls) work or gracefully degrade.
• Verify inbound services (VPN, web) recover via DNS failover.
• Plug the primary back in; verify failback works.

The first failover test of a new setup will almost certainly reveal misconfiguration. Test before you need it, not during a real outage.

Communication during outages

When the office internet is down (even briefly during failover), customers calling, employees on calls, and partners trying to reach you may be affected. Preparations:

• Mobile soft-phone clients for VoIP — phones keep working over cellular even if office Wi-Fi/internet is down.
• Backup status page — communicate outage to customers if your normal channels are affected.
• Slack/Teams over mobile for employee coordination during outages.
• Documented incident response procedure — who does what during an outage.

Cost-benefit summary

Typical SMB backup internet ROI:

• Cost: $50-200/month for backup connection + $1500-3500 one-time for failover hardware. Total Year 1: ~$2500.
• Benefit: Avoiding 4-12 hours/year of unplanned downtime. For a 10-person office at $100/employee-hour productivity, this is $4000-12000/year in avoided losses.

Most SMBs that depend on internet justify backup within the first year. The math gets even more favorable for businesses where outages mean lost sales (e-commerce, retail with online POS) rather than just operational disruption.

Frequently Asked Questions

How much does business internet backup cost?

For SMBs: $40-150/month for a backup connection. A 5G/LTE failover router with a small data plan runs $40-80/month; a second wired ISP runs $100-300/month depending on bandwidth needs. Compared to even a few hours of downtime cost — lost sales, missed deadlines, customer trust — the backup pays for itself within months for any business that depends on internet.

What is SD-WAN?

SD-WAN (Software-Defined Wide Area Network) is a technology that lets a router intelligently use multiple WAN connections simultaneously — load balancing, failover, application-aware routing, encrypted tunnels to other branches or cloud. It replaces traditional MPLS networks for multi-site businesses and provides smarter dual-WAN behavior than basic failover. Common products: Fortinet Secure SD-WAN, Cisco Meraki, Velocloud (VMware), Cato Networks, Cradlepoint. SD-WAN appliances cost $500-3000 for SMB-class hardware plus per-feature licensing.

Should I use the same ISP for primary and backup?

No — defeats the purpose. The biggest cause of outages is your ISP's network or the local infrastructure between you and the ISP. Two connections from the same provider share the same failure points. Use different ISPs (one fiber, one cable, or one wired + one cellular) and ideally different last-mile technologies. A cable outage might still leave fiber working; a tower outage might still leave wireline working.

How fast is automatic failover?

5-30 seconds for typical dual-WAN setups. The router pings a reference target every few seconds; when pings fail for 2-3 consecutive intervals, it switches to the backup WAN. Established TCP connections drop and must reconnect. SD-WAN with bonded tunnels can be faster (sub-second failover) because sessions are aware of multiple paths simultaneously, but most SMBs don't need that level. 30-second failover is acceptable for typical business traffic; voice calls drop and reconnect.

Will 5G provide enough bandwidth for full failover?

For most SMBs, yes during the failover window. Mid-band 5G typically provides 100-400 Mbps in good coverage areas, with 20-50 Mbps upload. That's enough for a 10-30 person office to keep working — video calls, email, basic SaaS. It won't match the speed of business fiber, and data plan caps may apply, but for the typical 1-4 hour outage window it bridges the gap. Better than zero connectivity.