Failover Internet connection setup?

Trying to decide what the best way to set up a failover Internet connection is.

Current setup has remote sites connected to the main site via Comcast ENS. So we have the sites router connected to a Comcast Ciena. Everything routes over OSPF. At the main site the firewall for Internet access plugs into a port on the switch and has an IP local to that subnet. The firewall is configured with OSPF as well so it's directly on the network.

We will be installing PFSense boxes at each satellite along with a regular Comcast Business class Internet connection, with the ultimate goal being to have the PFSense box handle our free wifi for customers (using the same Comcast Business class Internet), act as a secondary Internet access if the ENS circuit goes down with a site to site VPN connection back to our main site, and lastly failing over to the Comcast 4G if everything goes down (no VPN in this case).

I'm trying to decide if it makes more sense to plug the PFSense boxes into the routers at each site or if it would be better to plug into the switch like I have with the main Internet. I don't think I want to tie these into the OSPF network as they'll be 100% just for the local site they are physically located at.