Site2Site VPN ER605 - Fritzbox

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Site2Site VPN ER605 - Fritzbox

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Site2Site VPN ER605 - Fritzbox
Site2Site VPN ER605 - Fritzbox
2023-07-15 11:11:17 - last edited 2023-10-24 03:22:42
Model: ER605 (TL-R605)  
Hardware Version: V2
Firmware Version: 2.1.2

Hello,

i want to create a Site2Site VPN Connection between my ER605 and an Fritzbox 6590.
What is the best way of doing this?

The Remote Site (Fritzbox) should be able to access only ONE IP-Address in my local network.
Also i should be able to access one IP on the Remote-Site.

Topology: 

 

 

Thanks for any advice.

  0      
  0      
#1
Options
2 Accepted Solutions
Re:Site2Site VPN ER605 - Fritzbox-Solution
2023-07-17 03:53:50 - last edited 2023-10-24 03:22:42

Hi @marcwa122 

First, if you need site-to-site, IPsec is recommended. Top choice.

ONE IP only, do you mean that you need to restrict access to only one IP address? Not the whole subnet?

You can set the local IP to a single IP address like Local IP = 192.168.50.50/32

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
Recommended Solution
  0  
  0  
#2
Options
Re:Site2Site VPN ER605 - Fritzbox-Solution
2023-10-21 19:56:29 - last edited 2023-10-24 03:22:45

  @Clive_A Hi,

thank you for the answer. We managed to set it up like you mentioned. Thanks.

One more question:
Im using an other Site2Site VPN Connection, which is connecting the remote site (/24 network) and the local site (/24 network) together, but i want to have some ACL restrictions "in between".

For example, i want that all Clients on the Remote-Site (Fritzbox) are accessible by the local site, but no client on the local site (Omada) should be accessible by the remote site (except for the NAS device).

I tried to use an Switch ACL without success (using IP-Groups for local and for remote-network ranges).
I also tried to use a LAN->LAN ACL on Gateway ACL.
All without success. What is the way of doing this kind of acl? I Also tried a WAN IN Type on Gateway ACL. 

Restricting the VPN Tunnel itself is also an option, but there are some troubles using IKEv2 for Fritzbox....
So i decided to create the site2site between the two /24 networks.

Thank you and best regards!

Recommended Solution
  0  
  0  
#3
Options
3 Reply
Re:Site2Site VPN ER605 - Fritzbox-Solution
2023-07-17 03:53:50 - last edited 2023-10-24 03:22:42

Hi @marcwa122 

First, if you need site-to-site, IPsec is recommended. Top choice.

ONE IP only, do you mean that you need to restrict access to only one IP address? Not the whole subnet?

You can set the local IP to a single IP address like Local IP = 192.168.50.50/32

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
Recommended Solution
  0  
  0  
#2
Options
Re:Site2Site VPN ER605 - Fritzbox-Solution
2023-10-21 19:56:29 - last edited 2023-10-24 03:22:45

  @Clive_A Hi,

thank you for the answer. We managed to set it up like you mentioned. Thanks.

One more question:
Im using an other Site2Site VPN Connection, which is connecting the remote site (/24 network) and the local site (/24 network) together, but i want to have some ACL restrictions "in between".

For example, i want that all Clients on the Remote-Site (Fritzbox) are accessible by the local site, but no client on the local site (Omada) should be accessible by the remote site (except for the NAS device).

I tried to use an Switch ACL without success (using IP-Groups for local and for remote-network ranges).
I also tried to use a LAN->LAN ACL on Gateway ACL.
All without success. What is the way of doing this kind of acl? I Also tried a WAN IN Type on Gateway ACL. 

Restricting the VPN Tunnel itself is also an option, but there are some troubles using IKEv2 for Fritzbox....
So i decided to create the site2site between the two /24 networks.

Thank you and best regards!

Recommended Solution
  0  
  0  
#3
Options
Re:Site2Site VPN ER605 - Fritzbox
2023-10-24 03:22:25

Hi @marcwa122 

Thanks for posting in our business forum.

marcwa122 wrote

  @Clive_A Hi,

thank you for the answer. We managed to set it up like you mentioned. Thanks.

One more question:
Im using an other Site2Site VPN Connection, which is connecting the remote site (/24 network) and the local site (/24 network) together, but i want to have some ACL restrictions "in between".

For example, i want that all Clients on the Remote-Site (Fritzbox) are accessible by the local site, but no client on the local site (Omada) should be accessible by the remote site (except for the NAS device).

I tried to use an Switch ACL without success (using IP-Groups for local and for remote-network ranges).
I also tried to use a LAN->LAN ACL on Gateway ACL.
All without success. What is the way of doing this kind of acl? I Also tried a WAN IN Type on Gateway ACL. 

Restricting the VPN Tunnel itself is also an option, but there are some troubles using IKEv2 for Fritzbox....
So i decided to create the site2site between the two /24 networks.

Thank you and best regards!

 

Then you should use a client-to-site VPN. IPsec site-to-site is bidirectional.

If you use ACL, it should never be SW ACL because it is not stateful. You need a stateful ACL which is GW ACL.

 

If I did not recall it wrong, ACL is effective for the VPN subnets. But you should create a subnet on the Omada router to match the subnet on the other end. LAN - LAN ACL.

 

But I still think if you need to use it in that way, you should use client-to-site to save performance for other stuff. ACL would sacrifice partial performance. 

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#4
Options