I assume the core router is the default gateway for all your devices, which is connected to the LAN port of RUT240 (maybe via switch). Now, when core router fails, the end devices do not have a gateway. Is that correct?
If I understood everything correctly, one of the options would be to connect the LAN port of the core router to WAN on RUT240. Of course, LAN and WAN networks on RUT240 would need to be on different subnets. By doing this, the end devices will utilize the RUT240 as their default gateway. The WAN connection on the RUT240 will serve as the primary connection, while the mobile connection will act as a backup (failover). Consequently, if the core router experiences a failure, the end devices will continue using the RUT240 as their default gateway, and the RUT240 will automatically switch to the mobile connection as the alternative route, bypassing the wired WAN through the core router.
This setup will provide failover functionality. However, if your intention is not to have the end devices utilize the mobile connection on the router, but rather to have a backdoor via RMS VPN, you can modify the firewall settings on the RUT240. Specifically, you would configure the firewall to drop packets originating from the LAN and destined for the mobile WAN. To achieve this, it is necessary to segregate the wired WAN and mobile connections into separate firewall zones, as they are grouped together in the default 'wan' zone by default. With this, traffic from the LAN to the wired WAN will be permitted, while traffic from the LAN to the mobile WAN will be blocked. Keep in mind that an RMS firewall zone is automatically created when you configure RMS VPN Hub. So, even when the wired WAN is down, the mobile connection is active, and traffic from the LAN to the mobile WAN is dropped, you should still be able to access the end device over the RMS VPN.
Or, as I have already mentioned previously, you can try using VRRP.