FRITZ!Box 6890 LTE Service - Knowledge Base

FRITZ!Box 6890 LTE Service

Setting up a VPN connection between two FRITZ!Boxes for individual LAN ports

When you set up a VPN connection between two FRITZ!Box networks, you can also restrict the VPN tunnel to individual LAN ports on the FRITZ!Boxes. These LAN ports can then only be used to access the remote FRITZ!Box network, but not devices in the local FRITZ!Box network. The LAN ports are also no longer able to use the local FRITZ!Box to access the internet.

This allows you, for example, to connect a home office or a POS system in one branch with the central office by means of a securely encrypted VPN tunnel, without allowing other devices in the branch to access the central office.

Example values used in this guide

In this guide we show you how to connect devices connected to the "LAN 2" port of "FRITZ!Box A" over a VPN tunnel with "FRITZ!Box B". When you set up the connection, replace the values used in this example with your actual values.

  • MyFRITZ! domain name of FRITZ!Box A:
    pi80ewgfi72d2os42.myfritz.net
  • IP network of FRITZ!Box A:
    192.168.10.0 (subnet mask: 255.255.255.0)
  • IP network of the "LAN 2" port on FRITZ!Box A:
    192.168.11.0 (subnet mask: 255.255.255.0)
  • MyFRITZ! domain name of FRITZ!Box B:
    kw23qbmnj31x5aw75.myfritz.net
  • IP network of FRITZ!Box B:
    192.168.20.0 (subnet mask: 255.255.255.0)
  • VPN password (pre-shared key):
    secret1234

Requirements / Restrictions

  • At least one of the two FRITZ!Boxes must obtain a public IPv4 address from the internet service provider.
  • FRITZ!OS 6.20 or later is installed on FRITZ!Box B.

Note:All instructions on configuration and settings given in this guide refer to the latest FRITZ!OS for the FRITZ!Box.

1 Preparations

Setting up a MyFRITZ! account and determining the domain name

With MyFRITZ! you can access the FRITZ!Boxes over the internet at all times even if the FRITZ!Boxes receive different public IP addresses from your internet service provider at regular intervals:

  1. Set up a MyFRITZ! account in both of the FRITZ!Boxes.

    Note:You can either configure the same or different MyFRITZ! accounts in both of the FRITZ!Boxes. Even if both FRITZ!Boxes use the same MyFRITZ! account, each FRITZ!Box has its own unique MyFRITZ! domain name.

  2. Determine the MyFRITZ! domain names of both of the FRITZ!Boxes.

Adjusting the IP networks

Communication within the VPN is not possible if both FRITZ!Boxes use the same IP network. Since all FRITZ!Boxes use the IP network 192.168.178.0 in the factory settings, configure IP addresses from different IP networks in the FRITZ!Boxes:

Example:
In this guide, FRITZ!Box A has the IP address 192.168.10.1 (subnet mask 255.255.255.0) and FRITZ!Box B the IP address 192.168.20.1 (subnet mask 255.255.255.0).

  1. Click "Home Network" in the FRITZ!Box user interface.
  2. Click "Network" in the "Home Network" menu.
  3. Click on the "Network Settings" tab.
  4. In the section "WAN setting", click "Additional Settings" to display all of the settings.
  5. Click the "IPv4 Configuration" button.
  6. Enter the desired IP address and subnet mask.
  7. Click "OK" to save the settings and on the FRITZ!Box, confirm that the procedure may be executed if asked to do so.

2 Configuring FRITZ!Box A

  1. Click "Internet" in the user interface of FRITZ!Box A.
  2. Click "Permit Access" in the "Internet" menu.
  3. Click on the "VPN" tab.
  4. Click the "Add VPN Connection" button.
  5. Click "Connect your home network with another FRITZ!Box network (LAN-LAN linkup)" and then "Next".
  6. In the field "VPN password (pre-shared key)", enter the password required to establish the VPN connection (secret1234). Use numerals and letters, and combine capitals and lower-case letters.
  7. Enter a unique name for the connection (FRITZ!Box London) in the field "Name of the VPN connection".
  8. Enter the MyFRITZ! domain name of FRITZ!Box B (kw23qbmnj31x5aw75.myfritz.net) in the field "Web address of the remote site".
  9. Enter the IP network of FRITZ!Box B (192.168.20.0) in the "Remote network" field. If the VPN tunnel should be limited to certain LAN ports on FRITZ!Box B, enter the network prefix of these LAN ports (192.168.21.0).
  10. In the "Subnet mask" field, enter the subnet mask that corresponds to FRITZ!Box B's IP network (255.255.255.0).
  11. If you want to maintain the VPN connection to FRITZ!Box B all the time, enable the option "Hold VPN connection permanently".
  12. Enable the option "VPN tunnel is available only at the selected LAN ports of the FRITZ!Box".
  13. Select the LAN ports for which the VPN tunnel should be available.
  14. In the "Network prefix" field, enter the IP network to be used by the LAN ports you selected (192.168.11.0).
  15. In the field "Subnet mask prefix", enter the subnet mask that corresponds to the IP network (255.255.255.0).
  16. Enter the IP address of the DNS server in the "Preferred DNS server" field (192.168.20.1).
  17. Click "Advanced Settings for Network Traffic".
  18. If you do not only want to use the VPN connection to access the remote network, but also want all web requests from the selected LAN ports to be sent to FRITZ!Box B, enable the option "Send all network traffic via the VPN connection".
  19. If access to SMB shared files in the remote network should be allowed, enable the option "Allow NetBIOS over this connection".
  20. If only certain devices should be allowed to access the remote network, enable the option "Only certain devices use the VPN connection" and select the corresponding devices.
  21. Click "OK" to save the settings and on the FRITZ!Box, confirm that the procedure may be executed if asked to do so.
  22. Restart FRITZ!Box A by unplugging the power cable from the electric outlet and plugging it in again after a few seconds.

3 Configuring FRITZ!Box B

  1. Click "Internet" in the user interface of FRITZ!Box B.
  2. Click "Permit Access" in the "Internet" menu.
  3. Click on the "VPN" tab. If the tab is not displayed, enable the Advanced View first.
  4. Click the "Add VPN Connection" button.
  5. Click "Connect your home network with another FRITZ!Box network (LAN-LAN linkup)" and then "Next".
  6. In the field "VPN password (pre-shared key)", enter the password required to establish the VPN connection (secret1234).
  7. If the field "Name of the VPN connection" is displayed, enter a unique name (FRITZ!Box London) for the connection.
  8. Enter the MyFRITZ! domain name of FRITZ!Box A (pi80ewgfi72d2os42.myfritz.net) in the field "Web address of the remote site".
  9. Enter the IP network of FRITZ!Box A (192.168.11.0) used for the VPN tunnel in the "Remote network" field.
  10. In the "Subnet mask" field, enter the subnet mask that corresponds to FRITZ!Box A's IP network (255.255.255.0).
  11. If you want to maintain the VPN connection to FRITZ!Box A all the time, enable the option "Hold VPN connection permanently".
  12. If you also want to restrict the use of the VPN tunnel to certain LAN ports on FRITZ!Box B:
    1. Enable the option "VPN tunnel is available only at the selected LAN ports of the FRITZ!Box".
    2. Select the LAN ports for which the VPN tunnel should be available.
    3. In the "Network prefix" field, enter the IP network to be used by the LAN ports you selected (192.168.21.0).
    4. In the field "Subnet mask prefix", enter the subnet mask that corresponds to the IP network (255.255.255.0).
    5. Enter the IP address of the DNS server in the "Preferred DNS server" field. If you want to allow devices connected to the selected LAN ports to use the Internet, enter the local IP address of FRITZ!Box A (192.168.10.1).
  13. Click "OK" to save the settings and on the FRITZ!Box, confirm that the procedure may be executed if asked to do so.
  14. If you enabled the option "VPN tunnel is available only at the selected LAN ports of the FRITZ!Box", restart FRITZ!Box B by unplugging the power cable from the electric outlet and plugging it in again after a few seconds.

4 Establishing a VPN connection

If you enabled the option "Hold VPN connection permanently" in the FRITZ!Boxes, the VPN connection will be maintained at all times.

If the option "Hold VPN connection permanently" is not enabled, the VPN connection is automatically established whenever one of the networks accesses the other network and it is cleared again whenever it has been inactive for one hour.

Note:Active VPN connections are displayed in the FRITZ!Box user interface under "Overview" in the section "Connections".