Site2Site VPN ER605 - Fritzbox
Hello,
i want to create a Site2Site VPN Connection between my ER605 and an Fritzbox 6590.
What is the best way of doing this?
The Remote Site (Fritzbox) should be able to access only ONE IP-Address in my local network.
Also i should be able to access one IP on the Remote-Site.
Topology:
Thanks for any advice.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Hi @marcwa122
First, if you need site-to-site, IPsec is recommended. Top choice.
ONE IP only, do you mean that you need to restrict access to only one IP address? Not the whole subnet?
You can set the local IP to a single IP address like Local IP = 192.168.50.50/32
- Copy Link
- Report Inappropriate Content
@Clive_A Hi,
thank you for the answer. We managed to set it up like you mentioned. Thanks.
One more question:
Im using an other Site2Site VPN Connection, which is connecting the remote site (/24 network) and the local site (/24 network) together, but i want to have some ACL restrictions "in between".
For example, i want that all Clients on the Remote-Site (Fritzbox) are accessible by the local site, but no client on the local site (Omada) should be accessible by the remote site (except for the NAS device).
I tried to use an Switch ACL without success (using IP-Groups for local and for remote-network ranges).
I also tried to use a LAN->LAN ACL on Gateway ACL.
All without success. What is the way of doing this kind of acl? I Also tried a WAN IN Type on Gateway ACL.
Restricting the VPN Tunnel itself is also an option, but there are some troubles using IKEv2 for Fritzbox....
So i decided to create the site2site between the two /24 networks.
Thank you and best regards!
- Copy Link
- Report Inappropriate Content
Hi @marcwa122
First, if you need site-to-site, IPsec is recommended. Top choice.
ONE IP only, do you mean that you need to restrict access to only one IP address? Not the whole subnet?
You can set the local IP to a single IP address like Local IP = 192.168.50.50/32
- Copy Link
- Report Inappropriate Content
@Clive_A Hi,
thank you for the answer. We managed to set it up like you mentioned. Thanks.
One more question:
Im using an other Site2Site VPN Connection, which is connecting the remote site (/24 network) and the local site (/24 network) together, but i want to have some ACL restrictions "in between".
For example, i want that all Clients on the Remote-Site (Fritzbox) are accessible by the local site, but no client on the local site (Omada) should be accessible by the remote site (except for the NAS device).
I tried to use an Switch ACL without success (using IP-Groups for local and for remote-network ranges).
I also tried to use a LAN->LAN ACL on Gateway ACL.
All without success. What is the way of doing this kind of acl? I Also tried a WAN IN Type on Gateway ACL.
Restricting the VPN Tunnel itself is also an option, but there are some troubles using IKEv2 for Fritzbox....
So i decided to create the site2site between the two /24 networks.
Thank you and best regards!
- Copy Link
- Report Inappropriate Content
Hi @marcwa122
Thanks for posting in our business forum.
marcwa122 wrote
@Clive_A Hi,
thank you for the answer. We managed to set it up like you mentioned. Thanks.
One more question:
Im using an other Site2Site VPN Connection, which is connecting the remote site (/24 network) and the local site (/24 network) together, but i want to have some ACL restrictions "in between".
For example, i want that all Clients on the Remote-Site (Fritzbox) are accessible by the local site, but no client on the local site (Omada) should be accessible by the remote site (except for the NAS device).
I tried to use an Switch ACL without success (using IP-Groups for local and for remote-network ranges).
I also tried to use a LAN->LAN ACL on Gateway ACL.
All without success. What is the way of doing this kind of acl? I Also tried a WAN IN Type on Gateway ACL.
Restricting the VPN Tunnel itself is also an option, but there are some troubles using IKEv2 for Fritzbox....
So i decided to create the site2site between the two /24 networks.
Thank you and best regards!
Then you should use a client-to-site VPN. IPsec site-to-site is bidirectional.
If you use ACL, it should never be SW ACL because it is not stateful. You need a stateful ACL which is GW ACL.
If I did not recall it wrong, ACL is effective for the VPN subnets. But you should create a subnet on the Omada router to match the subnet on the other end. LAN - LAN ACL.
But I still think if you need to use it in that way, you should use client-to-site to save performance for other stuff. ACL would sacrifice partial performance.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 635
Replies: 3
Voters 0
No one has voted for it yet.