FRITZ!Box 3390 – Service - Knowledge Base

FRITZ!Box 3390 – Service

Setting up a VPN connection between two FRITZ!Boxes for individual LAN ports

When you set up a VPN connection between two FRITZ!Box networks, you can also restrict the VPN tunnel to individual LAN ports on the FRITZ!Boxes. These LAN ports can then only be used to access the remote FRITZ!Box network, but not devices in the local FRITZ!Box network. The LAN ports are also no longer able to use the local FRITZ!Box to access the Internet.

This allows you, for example, to connect a home office or a POS system in one branch with the central office by means of a securely encrypted VPN tunnel, without allowing other devices in the branch to access the central office.

Example values used in this guide

In this guide we show you how to connect devices connected to the "LAN 2" port of "FRITZ!Box A" over a VPN tunnel with "FRITZ!Box B". When you set up your connection, replace the values used in this example with actual ones.

  • MyFRITZ! domain name of FRITZ!Box A:
    pi80ewgfi72d2os42.myfritz.net
  • IP network of FRITZ!Box A:
    192.168.10.0 (subnet mask: 255.255.255.0)
  • IP network of the "LAN 2" port on FRITZ!Box A:
    192.168.11.0 (subnet mask: 255.255.255.0)
  • MyFRITZ! domain name of FRITZ!Box B:
    kw23qbmnj31x5aw75.myfritz.net
  • IP network of FRITZ!Box B:
    192.168.20.0 (subnet mask: 255.255.255.0)
  • VPN password (pre-shared key):
    secret

Requirements / Restrictions

  • At least one of the two FRITZ!Boxes must obtain a public IPv4 address from the Internet service provider.

    Important:If both of the FRITZ!Boxes are used on Internet connections that use DS-Lite ("Dual-Stack Lite"), you cannot establish a VPN connection. When DS-Lite is active, the status "IPv4 over DS Lite" is displayed under "Connections" on the "Overview" page of the FRITZ!Box user interface.

  • FRITZ!OS 6.20 or later is installed on FRITZ!Box B.

Important:Some of the settings described here are only displayed if the advanced view is enabled in the user interface. The configuration procedure and notes on functions given in this guide refer to the latest FRITZ!OS.

1 Preparations

Setting up a MyFRITZ! account and determining the domain name

With MyFRITZ! you can even access a FRITZ!Box from the Internet at all times if its public IP address changes on a regular basis, for example after being automatically disconnected by your Internet service provider.

Note:You can use a different dynamic DNS service instead of MyFRITZ!. Since the FRITZ!Box gives higher priority to configured MyFRITZ! accounts, disable MyFRITZ! under "Internet > MyFRITZ!" in the user interface before setting up the VPN connection.

  1. Set up a MyFRITZ! account in both of the FRITZ!Boxes.

    Note:You can either configure the same or different MyFRITZ! accounts in the two FRITZ!Boxes. Even if both FRITZ!Boxes use the same MyFRITZ! account, each FRITZ!Box has its own unique MyFRITZ! domain name.

  2. Determine the MyFRITZ! domain names of both of the FRITZ!Boxes.

Adjusting the IP networks

VPN communication cannot occur if both FRITZ!Boxes use the same IP network. Since all FRITZ!Boxes use the IP network 192.168.178.0 in the factory settings, adjust the IP networks of the FRITZ!Boxes:

Example:
In this guide, FRITZ!Box A uses the IP address 192.168.10.1 (subnet mask 255.255.255.0) and FRITZ!Box B the IP address 192.168.20.1 (subnet mask 255.255.255.0).

  1. Click "Home Network" in the FRITZ!Box user interface.
  2. Click "Home Network Overview" in the "Home Network" menu.
  3. Click on the "Network Settings" tab.
  4. Click the "IPv4 Addresses" button.
  5. Enter the desired IP address and subnet mask.
  6. Click "OK" to save the settings.

2 Configuring FRITZ!Box A

  1. Click "Internet" in the user interface of FRITZ!Box A.
  2. Click "Permit Access" in the "Internet" menu.
  3. Click on the "VPN" tab.
  4. Click the "Add VPN Connection" button.
  5. Click "Connect your home network with another FRITZ!Box network (LAN-LAN linkup)" and then "Next".
  6. Enter the password required to establish the VPN connection (secret) in the field "VPN password (pre-shared key)".

    Important:To ensure optimal security, the VPN password should be at least 16 characters long.

  7. Enter the MyFRITZ! domain name of FRITZ!Box B (kw23qbmnj31x5aw75.myfritz.net) in the "Web address" field.
  8. Enter the IP network of FRITZ!Box B (192.168.20.0) in the "Remote network" field.

    Important:If the VPN tunnel should be limited to certain LAN ports on FRITZ!Box B, you must enter the network prefix (192.168.21.0) used for these LAN ports here.

  9. Enter the subnet mask that corresponds to FRITZ!Box B's IP network (255.255.255.0) in the "Subnet mask" field.
  10. Enable the option "Hold VPN connection permanently" if you would like the VPN connection to FRITZ!Box B to remain established.
  11. Enable the option "VPN tunnel is available only at the selected LAN ports of the FRITZ!Box".
  12. Select the LAN ports for which the VPN tunnel should be available.
  13. In the "Network prefix" field, enter the IP network to be used by the LAN ports you selected (192.168.11.0).
  14. Enter the subnet mask that corresponds to the IP network in the "Subnet mask prefix" field (255.255.255.0).
  15. Enter the IP address of the DNS server in the "Preferred DNS server" field.

    Important:If you want to allow devices connected to the LAN ports you selected for FRITZ!Box A to use the Internet, enter the local IP address of FRITZ!Box B here (192.168.20.1).

  16. If available, enter the IP address of a second DNS server in the "Alternative DNS server" field.
  17. Click "OK" to save the settings.
  18. Restart FRITZ!Box A by unplugging the power cable from the electrical outlet and plugging it in again after a few seconds.

3 Configuring FRITZ!Box B

  1. Click "Internet" in the user interface of FRITZ!Box B.
  2. Click "Permit Access" in the "Internet" menu.
  3. Click on the "VPN" tab.
  4. Click the "Add VPN Connection" button.
  5. Click "Connect your home network with another FRITZ!Box network (LAN-LAN linkup)" and then "Next".
  6. Enter the password required to establish the VPN connection (secret) in the field "VPN password (pre-shared key)".

    Important:To ensure optimal security, the VPN password should be at least 16 characters long. Use numerals and letters, and combine capitals and lower-case letters.

  7. Enter the MyFRITZ! domain name of FRITZ!Box A (pi80ewgfi72d2os42.myfritz.net) in the "Web address" field.
  8. Enter the IP network of FRITZ!Box A (192.168.11.0) used for the VPN tunnel in the "Remote network" field.
  9. Enter the subnet mask that corresponds to FRITZ!Box A's IP network (255.255.255.0) in the "Subnet mask" field.
  10. Enable the option "Hold VPN connection permanently" if you would like the VPN connection to FRITZ!Box A to remain established.
  11. Only if you also would like to restrict the use of the VPN tunnel to certain LAN ports on FRITZ!Box B:
    1. Enable the option "VPN tunnel is available only at the selected LAN ports of the FRITZ!Box".
    2. Select the LAN ports for which the VPN tunnel should be available.
    3. In the "Network prefix" field, enter the IP network to be used for the LAN ports you selected (192.168.21.0).
    4. Enter the subnet mask that corresponds to the IP network in the "Subnet mask prefix" field (255.255.255.0).
    5. Enter the IP address of the DNS server in the "Preferred DNS server" field.

      Important:If you want to allow devices connected to the LAN ports you selected for FRITZ!Box B to use the Internet, enter the local IP address of FRITZ!Box A here (192.168.10.1).

    6. If available, enter the IP address of a second DNS server in the "Alternative DNS server" field.
  12. Click "OK" to save the settings.
  13. Only if you enabled the option "VPN tunnel is available only at the selected LAN ports of the FRITZ!Box", restart FRITZ!Box B by unplugging the power cable from the electrical outlet and plugging it in again after a few seconds.

4 Establishing a VPN connection

If you enabled the option "Hold VPN connection permanently" in the FRITZ!Boxes, then the VPN connection will remain established.

If the option "Hold VPN connection permanently" is not enabled, then the VPN connection is automatically established whenever one of the networks accesses the other network and it is cleared again whenever it has been inactive for one hour.

Note:Active VPN connections are displayed in the user interface of both of the FRITZ!Boxes under "Internet > Permit Access > VPN".