FritzBox LAN 2 LAN VPN with pfSense

In this article I described how to set up a FritzBox LAN 2 LAN VPN with StrongSwan. Meanwhile I replaced Ubuntu on the server with pfSense. Of course I have set up my FritzBOX VPN connections again. So here’s a tutorial on how to set up a FritzBox LAN 2 LAN VPN with pfSense.

The prerequisites remain the same in comparison to the StrongSwan instructions:

  • Register your FritzBox with a DynDNS service (e.g. https://myfritz.net) and find your FritzBox domain name (e.g. myfb.myfritz.net)
  • Find your FritzBox’ private subnet, typically 192.168.178.0/24
  • Find (or define) the subnet on the remote site, e.g. 192.168.42.0/24
  • Find the hostname of the remote site, e.g. remote.example.com
  • Define a secret secret, e.g. S3cret123! (no, please do not use that, that’s my secret secret!)

Configure your FritzBox

Last time I presented a large configuration file that had to be imported into the FritzBox to set up the VPN connection. In the meantime I have found which encryption and hashing algorithms the FritzBox uses by default, so that we can simply use the default settings of the FritzBox and therefore the web interface built into FritzOS 7.x:

Configure pfSense

The pfSense configuration is similarly simple:

IPSec Phase 1 Configuration
IPSec Phase 1 Configuration
IPSec Phase 2 Configuration
IPSec Phase 2 Configuration

Conclusion

In my opinion, it’s pretty easy to set up a FritzBox LAN 2 LAN VPN with pfSense. The only hard thing is to figure out the preferred encryption and hashing algorithms supported by the FritzBox.

I have this running now with pfSense 2.4.4 with both a FritzBox 7490 and a FritzBox 7590.

An additional note: Sometimes does a Dual Stack connection not seem to be completely stable. In this case it helps to set Internet Protocol to IPv4 in phase 1.

6 thoughts to “FritzBox LAN 2 LAN VPN with pfSense”

    1. Actually, it’s quite easy: pfSense’s “My Identifier”/”Distinguished Name” should be the same (host)name you enter in the FritzBox’ “Internet-Adresse”. It’s basically the hostname of your pfSense gateway. I guess entering an IP address should also be possible, but as far as I know it has to be the same value on both sides, so if you use an IP address for “Internet-Adresse”, you should enter this IP address also as “My Identifier”/”Distinguished Name”.

      pfSense’s “Peer Identifier”/”Distinguished Name” has to be the (primary) external hostname of your FritzBox. I’ve only tried it with MyFritz DynDNS service, so the MyFritz name (123randomlettersxyz.myfritz.net) is the right one here. With other DynDNS services try its respective hostname.

      Please let me know if you got it working 🙂

  1. from my fritz!box network a can see lan pc on pfsense but from pfsense i cant see any pc on fritz!box

      1. PING, BROWSE etc.
        From my Fritz(network) I can connect to servers and computers in pfsense network, but from pfsense network I cant connect to other side(Fritz Network)

        1. Could be a routing issue. Please check your Outbound NAT settings/firewall configuration. Or maybe the target system blocks pings. Please notice: I can’t ping my FritzBox from pfSense, but i can access its webinterface (no idea why).

Leave a Reply

Your email address will not be published. Required fields are marked *