Configuring a VPN Connection between Two FRITZ!Box Home Networks for Individual LAN Ports
A VPN connection between two FRITZ!Box home networks can be restricted to individual LAN ports on the FRITZ!Boxes.
Operating Mode on the Selected LAN Ports
If the VPN connection is configured only for certain LAN ports, these LAN ports then have the following functions and restrictions:
- Only the remote FRITZ!Box home network can be reached from these LAN ports. It is not possible to access devices in the local home network.
- On these LAN ports, the internet is accessed via the remote FRITZ!Box.
- On these LAN ports, the entire network traffic takes place via the VPN connection.
- If the VPN connection is not established, the following apply to the LAN ports:
- The LAN ports are not assigned any IP addresses via DHCP
- The LAN ports are not able to access the internet.
Example Scenario
- You want to connect the home network of your FRITZ!Box at home with the home network of the FRITZ!Box at your company's premises via VPN.
- You want to restrict the VPN connection on your FRITZ!Box at home to the LAN ports "LAN 2" and "LAN 3". Only the devices on the ports "LAN 2" and "LAN 3" are to be able to access the FRITZ!Box home network at your company.
Example Values Used in this Guide
With this guide you connect the devices on the "LAN 2" and "LAN 3" ports of the box-home with the home network of the box-work. The following example values are used below in this guide.
For your own VPN configuration, replace the example values with the actual values in your scenario.
box-home
VPN Parameters | Example Value |
---|---|
MyFRITZ! domain name | pi80ewgfi72d2os42.myfritz.net |
IP network | 192.168.10.0 (subnet mask: 255.255.255.0) |
IP network on the "LAN 2" and "LAN 3" ports | 192.168.11.0 (subnet mask: 255.255.255.0) |
box-work
VPN Parameters | Example Value |
---|---|
MyFRITZ! domain name | kw23qbmnj31x5aw75.myfritz.net |
IP network | 192.168.20.0 (subnet mask: 255.255.255.0) |
VPN password (pre-shared key):
159PrM131719
Prerequisite: Public IPv4 address
At least one FRITZ!Box must obtain a public IPv4 address from the internet service provider.
Check whether at least one FRITZ!Box obtains a public IPv4 address: Determining the Public IPv4 Address of the FRITZ!Box.
Making FRITZ!Box Accessible with Changing Public IPv4 Address
For VPN connections, it must be possible to reach your FRITZ!Box from the internet at all times. If the FRITZ!Box obtains its public IPv4 address from the internet provider, then the IPv4 address will generally change with each assignment.
With the MyFRITZ! service or another dynamic DNS service, the FRITZ!Box can always be reached from the internet, even when the public IPv4 address changes.
Using MyFRITZ!
box-home:
- Open the user interface of box-home.
- Click on "Internet" and then on "MyFRITZ! Account".
- Register the box-home with a MyFRITZ! account. Create a new MyFRITZ! account or use an existing MyFRITZ! account: Creating a New MyFRITZ! Account And Registering a FRITZ!Box.
- Determine the MyFRITZ! domain name for box-home: Determining MyFRITZ! Domain Name.
box-work:
- Open the user interface of box-work.
- Click on "Internet" and then on "MyFRITZ! Account".
- Register the box-work with the same MyFRITZ! account where you registered the box-home: Registering FRITZ!Box with a MyFRITZ! Account.
- Determine the MyFRITZ! domain name for box-work: Determining MyFRITZ! Domain Name.
If you want to use MyFRITZ!, then create a MyFRITZ! account or use an existing MyFRITZ! account. Register the FRITZ!Box with the MyFRITZ! account. Upon registration, the FRITZ!Box receives a MyFRITZ! domain name. Determine the MyFRITZ! domain name.
Note:You can also register box-work with a different MyFRITZ! account.
Example Values for the MyFRITZ! Domain Names
In this guide, the following example values are for the MyFRITZ! domain names. Replace these example values with the MyFRITZ! domain names you determined.
FRITZ!Box Device | Example Value for MyFRITZ! Domain Name |
---|---|
box-home | pi80ewgfi72d2os42.myfritz.net |
box-work | kw23qbmnj31x5aw75.myfritz.net |
Using Another Dynamic DNS Service
Instead of MyFRITZ! you can use a different dynamic DNS service.
Adjusting the IPv4 Networks on the Ends of the VPN Connection
Both ends of a VPN connection must have IPv4 addresses in different IPv4 networks. Only then is VPN communication possible.
Note:Upon delivery, every FRITZ!Box uses the IPv4 network 192.168.178.0.
Change the IPv4 address in box-home and in box-work. The following example values are used below in this guide. You can use these example values or replace them with other values (private IPv4 addresses).
FRITZ!Box Device | IPv4 Address of the FRITZ!Box Device |
---|---|
box-home | 192.168.10.1 (subnet mask: 255.255.255.0) |
box-work | 192.168.20.1 (subnet mask: 255.255.255.0) |
box-home:
Change the IPv4 address in box-home. Enter the value 192.168.10.1. Enter the subnet mask 255.255.255.0. Changing the IPv4 Network in the FRITZ!Box
box-work:
Change the IPv4 address in box-work. Enter the value 192.168.20.1. Enter the subnet mask 255.255.255.0. Changing the IPv4 Network in the FRITZ!Box
Configuring the VPN Connection in box-home
- Click on "Internet" in the user interface of box-home.
- Click on "Permit Access" in the "Internet" menu.
- Click on the "VPN" tab.
- Click on the "Add VPN Connection" button.
- Select "Connect your home network with another FRITZ!Box network (LAN-LAN linkup)" and click on "Next".
- Enter the secret word required to establish the VPN connection (secret) in the field "VPN password (pre-shared key)". Use numerals and letters, and combine capitals and lower-case letters. Example value: 159PrM131719
- Enter a name for the VPN connection in the "Name of the VPN connection" field. The VPN connection will be displayed with this name in the overview.
- Enter the MyFRITZ! domain name of box-work in the "Web address of the remote site" field. Example value: kw23qbmnj31x5aw75.myfritz.net
Note:The value in the "Web address of the remote site" field in box-home must be the same as the value in the "Web address of this FRITZ!Box" field in box-work.
- Change the entry in the "Web address of this FRITZ!Box" field if you want to use a different address:
- If box-home is registered with a MyFRITZ! account, the MyFRITZ! domain name is displayed here. If box-home is also registered with another dynamic DNS service, and you want to use the dynamic domain name of the other service, then enter the other name here.
Note:The value in the "Web address of this FRITZ!Box" field in box-home must be the same as the value in the "Web address of the remote site" field in box-work.
- If box-home is registered with a MyFRITZ! account, the MyFRITZ! domain name is displayed here. If box-home is also registered with another dynamic DNS service, and you want to use the dynamic domain name of the other service, then enter the other name here.
- Enter the IP network of box-work in the "Remote network" field. Example value: 192.168.20.0
- In the "Subnet mask" field, enter the subnet mask that corresponds to the IP network of box-work. Example value: 255.255.255.0
- Enable the option "Hold VPN connection permanently" if box-work has a public IPv4 address and you want to maintain the VPN connection at all times.
- Enable the option "VPN tunnel is available only at the selected LAN ports of the FRITZ!Box".
- Select the LAN ports at which the VPN tunnel should be available. Example: "LAN 2 and "LAN 3".
- In the "Network prefix" field, enter the IP network to be used by the LAN ports you selected. Example value: 192.168.11.0
- Enter in the "Subnet mask prefix" field the subnet mask that corresponds to the IP network. Example value: 255.255.255.0.
- If you want to allow devices connected to the selected LAN ports on the box-home to surf the internet, enter the local IP address of box-work in the "Preferred DNS server" field. Example value: 192.168.20.1.
- If available, enter the IP address of a second DNS server in the "Alternative DNS server" field.
- Click on "Advanced Settings for Network Traffic":
- If the VPN connection to the selected LAN sockets "LAN 2" and "LAN 3" is to be used for all internet queries and not only for access to the home network of box-work, then do not enable the "Send all network traffic via the VPN connection" setting.
- If access to file and printer sharing in the home network of box-work is to be allowed, then enable the setting "Allow NetBIOS over this connection".
- Click on "OK".
- If you are prompted to confirm the application of this setting on the FRITZ!Box, then confirm it as described in the prompt. The internet connection will be cleared briefly and then re-established right away.
- Restart the box-home: unplug the power cable from the electrical outlet and plug it back in after a few seconds.
Configuring a VPN Connection in box-work
- Click on "Internet" in the user interface of box-work.
- Click on "Permit Access" in the "Internet" menu.
- Click on the "VPN" tab.
- Click on the "Add VPN Connection" button.
- Select "Connect your home network with another FRITZ!Box network (LAN-LAN linkup)" and click on "Next".
- Enter the secret word required to establish the VPN connection (secret) in the field "VPN password (pre-shared key)". Use numerals and letters, and combine capitals and lower-case letters. Example value: 159PrM131719
- Enter a name for the VPN connection in the "Name of the VPN connection" field. The VPN connection will be displayed with this name in the overview.
- Enter the MyFRITZ! domain name of box-home in the "Web address of the remote site" field. Example value: pi80ewgfi72d2os42.myfritz.net
Note:The value in the "Web address of the remote site" field in box-work must be the same as the value in the "Web address of this FRITZ!Box" field in box-home.
- Change the entry in the "Web address of this FRITZ!Box" field if you want to use a different address:
- If box-work is registered with a MyFRITZ! account, the MyFRITZ! domain name is displayed here. If box-work is also registered with another dynamic DNS service, and you want to use the dynamic domain name of the other service, then enter the other name here.
Note:The value in the "Web address of this FRITZ!Box" field in box-work must be the same as the value in the "Web address of the remote site" field in box-home.
- If box-work is registered with a MyFRITZ! account, the MyFRITZ! domain name is displayed here. If box-work is also registered with another dynamic DNS service, and you want to use the dynamic domain name of the other service, then enter the other name here.
- Enter the IP network of box-home on the "LAN 2" and "LAN 3" ports used for the VPN tunnel in the "Remote network" field. Example value: 192.168.11.0
- In the "Subnet mask" field, enter the subnet mask that belongs to the IP network of box-home on the "LAN 2" and "LAN 3" ports. Example value: 255.255.255.0
- Enable the option "Hold VPN connection permanently" if box-home has a public IPv4 address and you want to maintain the VPN connection at all times.
- If you want to access file and printer sharing on the "LAN 2" and "LAN 3" ports of box-home, then click on "Advanced Settings for Network Traffic" and enable the setting "Allow NetBIOS over this connection".
- Click on "OK".
- If you are prompted to confirm the application of this setting on the FRITZ!Box, then confirm it as described in the prompt. The internet connection will be cleared briefly and then re-established right away.
Establishing a VPN Connection
If you enabled the option "Hold VPN connection permanently" in the VPN settings, then the VPN connection will remain established.
If the option "Hold VPN connection permanently" is not enabled, then the VPN connection is automatically established whenever a user in one network accesses the other network. After an hour of inactivity, the VPN connection is cleared.