Configuring a VPN Connection between Two FRITZ!Box Home Networks for Individual LAN Ports
A VPN connection between two FRITZ!Box home networks can be restricted to individual LAN ports on the FRITZ!Boxes.
Operating Mode on the Selected LAN Ports
If the VPN connection is configured only for certain LAN ports, these LAN ports then have the following functions and restrictions:
- Only the remote FRITZ!Box home network can be reached from these LAN ports. It is not possible to access devices in the local home network.
- On these LAN ports, the internet is accessed via the remote FRITZ!Box.
- On these LAN ports, the entire network traffic takes place via the VPN connection.
- If the VPN connection is not established, the following apply to the LAN ports:
- The LAN ports are not assigned any IP addresses via DHCP
- The LAN ports are not able to access the internet.
Example Scenario
- You want to connect the home network of your FRITZ!Box at home with the home network of the FRITZ!Box at your company's premises via VPN.
- You want to restrict the VPN connection on your FRITZ!Box at home to the LAN ports "LAN 2" and "LAN 3". Only the devices on the ports "LAN 2" and "LAN 3" are to be able to access the FRITZ!Box home network at your company.
Example Values Used in this Guide
With this guide you connect the devices on the "LAN 2" and "LAN 3" ports of the box-home with the home network of the box-work. The following example values are used below in this guide.
For your own VPN configuration, replace the example values with the actual values in your scenario.
box-home
VPN Parameters | Example Value |
---|---|
MyFRITZ! domain name | pi80ewgfi72d2os42.myfritz.net |
IP network | 192.168.10.0 (subnet mask: 255.255.255.0) |
IP network on the "LAN 2" and "LAN 3" ports | 192.168.11.0 (subnet mask: 255.255.255.0) |
box-work
VPN Parameters | Example Value |
---|---|
MyFRITZ! domain name | kw23qbmnj31x5aw75.myfritz.net |
IP network | 192.168.20.0 (subnet mask: 255.255.255.0) |
VPN password (pre-shared key):
159PrM131719
Prerequisite: Public IPv4 address
At least one FRITZ!Box must obtain a public IPv4 address from the internet service provider.
Check whether at least one FRITZ!Box obtains a public IPv4 address: Determining the Public IPv4 Address of the FRITZ!Box.
Making FRITZ!Box Accessible with Changing Public IPv4 Address
For VPN connections, it must be possible to reach your FRITZ!Box from the internet at all times. If the FRITZ!Box obtains its public IPv4 address from the internet provider, then the IPv4 address will generally change with each assignment.
With the MyFRITZ! service or another dynamic DNS service, the FRITZ!Box can always be reached from the internet, even when the public IPv4 address changes.
Using MyFRITZ!
box-home:
- Open the user interface of box-home.
- Click on "Internet" and then on "MyFRITZ! Account".
- Register the box-home with a MyFRITZ! account. Create a new MyFRITZ! account or use an existing MyFRITZ! account: Creating a New MyFRITZ! Account And Registering a FRITZ!Box.
- Determine the MyFRITZ! domain name for box-home: Determining MyFRITZ! Domain Name.
box-work:
- Open the user interface of box-work.
- Click on "Internet" and then on "MyFRITZ! Account".
- Register the box-work with the same MyFRITZ! account where you registered the box-home: Registering FRITZ!Box with a MyFRITZ! Account.
- Determine the MyFRITZ! domain name for box-work: Determining MyFRITZ! Domain Name.
If you want to use MyFRITZ!, then create a MyFRITZ! account or use an existing MyFRITZ! account. Register the FRITZ!Box with the MyFRITZ! account. Upon registration, the FRITZ!Box receives a MyFRITZ! domain name. Determine the MyFRITZ! domain name.
Note:You can also register box-work with a different MyFRITZ! account.
Example Values for the MyFRITZ! Domain Names
In this guide, the following example values are for the MyFRITZ! domain names. Replace these example values with the MyFRITZ! domain names you determined.
FRITZ!Box Device | Example Value for MyFRITZ! Domain Name |
---|---|
box-home | pi80ewgfi72d2os42.myfritz.net |
box-work | kw23qbmnj31x5aw75.myfritz.net |
Using Another Dynamic DNS Service
Instead of MyFRITZ! you can use a different dynamic DNS service.
Note:If the FRITZ!Box is registered with a MyFRITZ! account, the FRITZ!Box will automatically use the MyFRITZ! service. If you would like to use a different dynamic DNS service for the FRITZ!Box than MyFRITZ!, then disable MyFRITZ! in the FRITZ!Box before setting up the VPN connection. Disable the MyFRITZ! account in the FRITZ!Box user interface under "Internet / MyFRITZ! Account".
Adjusting the IPv4 Networks on the Ends of the VPN Connection
Both ends of a VPN connection must have IPv4 addresses in different IPv4 networks. Only then is VPN communication possible.
Note:Upon delivery, every FRITZ!Box uses the IPv4 network 192.168.178.0.
Change the IPv4 address in box-home and in box-work. The following example values are used below in this guide. You can use these example values or replace them with other values (private IPv4 addresses).
FRITZ!Box Device | IPv4 Address of the FRITZ!Box Device |
---|---|
box-home | 192.168.10.1 (subnet mask: 255.255.255.0) |
box-work | 192.168.20.1 (subnet mask: 255.255.255.0) |
box-home:
Change the IPv4 address in box-home. Enter the value 192.168.10.1. Enter the subnet mask 255.255.255.0. Changing the IPv4 Network in the FRITZ!Box
box-work:
Change the IPv4 address in box-work. Enter the value 192.168.20.1. Enter the subnet mask 255.255.255.0. Changing the IPv4 Network in the FRITZ!Box
Configuring the VPN Connection in box-home
- Click on "Internet" in the user interface of box-home.
- Click on "Permit Access" in the "Internet" menu.
- Click on the "VPN" tab.
- Click on the "Add VPN Connection" button.
- Select "Connect your home network with another FRITZ!Box network (LAN-LAN linkup)" and click on "Next".
- Enter the secret word required to establish the VPN connection (secret) in the field "VPN password (pre-shared key)". Use numerals and letters, and combine capitals and lower-case letters. Example value: 159PrM131719
- Enter a name for the VPN connection in the "Name of the VPN connection" field. The VPN connection will be displayed with this name in the overview.
- Enter the MyFRITZ! domain name of box-work in the "Web address" field. Example value: kw23qbmnj31x5aw75.myfritz.net
- Enter the IP network of box-work in the "Remote network" field. Example value: 192.168.20.0
- In the "Subnet mask" field, enter the subnet mask that corresponds to the IP network of box-work. Example value: 255.255.255.0
- Enable the option "Hold VPN connection permanently" if box-work has a public IPv4 address and you want to maintain the VPN connection at all times.
- Enable the option "VPN tunnel is available only at the selected LAN ports of the FRITZ!Box".
- Select the LAN ports at which the VPN tunnel should be available. Example: "LAN 2 and "LAN 3".
- In the "Network prefix" field, enter the IP network to be used by the LAN ports you selected. Example value: 192.168.11.0
- Enter in the "Subnet mask prefix" field the subnet mask that corresponds to the IP network. Example value: 255.255.255.0.
- If you want to allow devices connected to the selected LAN ports on the box-home to surf the internet, enter the local IP address of box-work. Example value: 192.168.20.0.
- If available, enter the IP address of a second DNS server in the "Alternative DNS server" field.
- Click on "Advanced Settings for Network Traffic":
- Do not enable the setting "Send all network traffic via the VPN connection". On the selected LAN ports, the entire network traffic takes place via the VPN connection.
- Click on "OK".
- If you are prompted to confirm the application of this setting on the FRITZ!Box, then confirm it as described in the prompt. The internet connection will be cleared briefly and then re-established right away.
- Restart the box-home: unplug the power cable from the electrical outlet and plug it back in after a few seconds.
Configuring a VPN Connection in box-work
- Click on "Internet" in the user interface of box-work.
- Click on "Permit Access" in the "Internet" menu.
- Click on the "VPN" tab.
- Click on the "Add VPN Connection" button.
- Select "Connect your home network with another FRITZ!Box network (LAN-LAN linkup)" and click on "Next".
- Enter the secret word required to establish the VPN connection (secret) in the field "VPN password (pre-shared key)". Use numerals and letters, and combine capitals and lower-case letters. Example value: 159PrM131719
- Enter a name for the VPN connection in the "Name of the VPN connection" field. The VPN connection will be displayed with this name in the overview.
- Enter the MyFRITZ! domain name of box-home in the "Web address" field. Example value: pi80ewgfi72d2os42.myfritz.net
- Enter the IP network of box-home on the "LAN 2" and "LAN 3" ports used for the VPN tunnel in the "Remote network" field. Example value: 192.168.11.0
- In the "Subnet mask" field, enter the subnet mask that belongs to the IP network of box-home on the "LAN 2" and "LAN 3" ports. Example value: 255.255.255.0
- Enable the option "Hold VPN connection permanently" if box-home has a public IPv4 address and you want to maintain the VPN connection at all times.
- Click on "OK".
- If you are prompted to confirm the application of this setting on the FRITZ!Box, then confirm it as described in the prompt. The internet connection will be cleared briefly and then re-established right away.
Disabling the NetBIOS filter
To make shared files and printers in the home network of the other FRITZ!Box accessible from the home network of every FRITZ!Box, the NetBIOS filter must be disabled in every FRITZ!Box.
Disable the NetBIOS filter in a FRITZ!Box only if shared files and printers in the home network of the FRITZ!Box are to be accessed from the home network of the other FRITZ!_Box.
Disable NetBIOS filter in the FRITZ!Box:
- Switch on the advanced view in the FRITZ!Box user interface: Standard View and Advanced View.
- Click in the user interface on "Internet" and then on "Filters".
- Click on the "Lists" tab.
- Disable the "NetBIOS filter enabled" setting.
- Click on "Apply".
Establishing a VPN Connection
If you enabled the option "Hold VPN connection permanently" in the VPN settings, then the VPN connection will remain established.
If the option "Hold VPN connection permanently" is not enabled, then the VPN connection is automatically established whenever a user in one network accesses the other network. After an hour of inactivity, the VPN connection is cleared.