Notes About the Internet Router Digitalisierungsbox Premium

The Digitalisierungsbox Premium is a popular Internet router for small businesses in Germany, mainly because the German telecommunications company Deutsche Telekom markets it to its business customers. It is actually a rebranded be.IP plus from bintec elmeg GmbH.

The Digitalisierungsbox Premium is a convenient and inexpensive way for small business to continue using their existing ISDN telephone systems now that ISDN lines are no longer supported in Germany.

General Configuration Procedure
The built-in web server allows access over both HTTP and HTTPS. Even if you are inside your LAN, you should probably use the HTTPS address. You will have to add a security exception to your web browser, because the HTTPS security certificate is not actually globally valid.

It is not obvious how to access all configuration options (the equivalent to the "expert mode").

First of all, click on the ANSICHT (view) menu title on the top-right of the web interface, and change to the Vollzugriff (full access) mode.

If the option tree panel does not appear on the left, click on the hamburger menu (the icon with the three horizontal lines) on the top-left of the web interface.

Unfortunately, the box does not remember your choice of view, so you will have to repeat these steps every time.

After changing any settings, remember to click on the KONFIGURATION SPEICHERN (save configuration) button on the top-right of the web interface. Otherwise, your changes will be lost upon reboot. This button does not get properly highlighted after any configuration changes, so you will inevitably forget many times, which I find very annoying.

Response to Ping
Pinging the Digitalisierungsbox Premium from outside (from the Internet) generates an unreachable ICMP packet:

PING 56(84) bytes of data. From .dip0.t-ipconnect.de icmp_seq=1 Destination Host Unreachable

This is silly. You would expect either a proper ping answer, or none at all, but not some other ICMP error indication.

Port Scan
An nmap port scan from outside (from the Internet) shows the following listening ports:

PORT   STATE     SERVICE      VERSION 135/tcp filtered  msrpc 139/tcp filtered  netbios-ssn 445/tcp filtered  microsoft-ds 5060/tcp open      sip?

I wonder why the TCP ports above are open or filtered. The ports related to Microsoft Windows do not show up if the port scan is performed from inside (from the LAN). I wonder whether the results above are actually falsified due to some firewall configuration at network level for this type of customers.

Port 5060 is probably SIP, and it is accepting connections from the outside. This should not be the default for such a small business router.

An nmap port scan from inside (from the LAN) of both the public IP address and the local LAN IP address yield the same result:

PORT   STATE     SERVICE      VERSION 22/tcp filtered  ssh 23/tcp filtered  telnet 80/tcp open      http         boss/1.0 (BOSS) 161/tcp filtered  snmp 443/tcp open      ssl/https    boss/1.0 (BOSS) 5060/tcp open      sip? 5061/tcp open      ssl/sip-tls? 7000/tcp open      afs3-fileserver?

BOSS is the name of the Digitalisierungsbox Premium firmware.

WLAN Guest Access
Newer firmware versions have a WLAN "assistant". Creating a separate WLAN for guests with the assistant is very easy.

Dynamic DNS
As a customer from Deutsche Telekom, if you do a reverse lookup of your IP address, you will see a DNS name like these:

p1A2B3C4D.dip0.t-ipconnect.de

The ID after the first 'p' is just the IP address in hexadecimal, so this DNS name will not remain the same if you router gets a new IP address the next time around. Therefore, if you have not ordered a fixed IP address, you will need Dynamic DNS in order to access your router from the Internet.

If you have some Linux or Windows server in your LAN, it is probably easier and more secure to use a standard Dynamic DNS update script than dealing with this router. Otherwise, read on.

Provider freedns.afraid.org does not work. The Digitalisierungsbox Premium does not recognise the response from the freedns.afraid.org update URL, so it will always display the update attempt as failed (Status: Fehlgeschlagen). Once an update fails, the router will not try again.

There is a user report in the Telekom forum that the Digitalisierungsbox Premium always adds some parameters to the URL like this:

Custom protocol:      ?system=custom&hostname=bla&myip=1.2.3.4& DynDNS protocol:      ?system=dyndns&hostname=bla&myip=1.2.3.4&wildcard=OFF& StaticDynDNS protocol: ?system=statdns&hostname=bla&myip=1.2.3.4&wildcard=OFF&

These extra parameters could confuse some servers.

It is best to choose a Dynamic DNS provider that is known to work with the Digitalisierungsbox Premium. I had success with GoIP. They even have a page with screenshots for this router.

When creating a Dynamic DNS provider (under DYNDNS-PROVIDER), you get to choose the interface (Schnittstelle) from a long list with entries like "en1-4" and "br0". One of them should have a more human-readable name, like "DTAG Internet-Zugang". If you are not sure which one you should choose, go to "WAN", "Internet + Einwählen". The interface name should be displayed there.

Note that the HTTPS protocol is not supported, so the update URL is sent in clear text over the Internet.

I do not know what the update interval (Aktualisierungsintervall) in the DNS provider is for. The router does not seem to honour it. I hope the router will update the DNS entry when its public IP address changes.

Do not forget to save the router configuration at the end.

Port Forward
There is an assistant that simplifies the creation of port forwards. It is under "Assistenten", "NAT / Firewall". Unfortunately, the source and destination TCP/UDP ports must be the same, and there are situations where they should be different.

Without the assistant, creating a port forward is much more work, because you must also adjust the firewall rules. I wonder if this source / destination port flexibility is then available.

After creating a port forward, you can check what the assistant has created for you:


 * Go to "Netzwerk", "NAT", and switch to tab "NAT-CONFIGURATION". Look at those entries under the Internet (WAN) connection, which could be called something like "DTAG Internet-Zugang".
 * Go to "Firewall", "Richtlinien". Look under "Filterregeln" those entries with a source matching the Internet (WAN) connection, which could be called something like "WAN_DTAG INTERNET-ZUGANG".

If you wish to access such port forwards at the public IP address from the internal network (LAN), which is for example useful for test purposes, you have to enable the "NAT loopback" feature on the LAN interface. Go to "Netzwerk", "NAT", and change to the "NAT-SCHNITTSTELLEN" tab. Entry "BRIDGE_BR0" has both "NAT aktiv" and "Loopback aktiv" disabled. Enable only "Loopback aktiv".

VPN
The Digitalisierungsbox Premium supports VPN connections, but there is not support for OpenVPN or L2TP, only for IPsec. IKEv1 and IKEv2 are supported.

There is a video showing how to configure a VPN for Apple iOS devices using IKEv2 and a pre-shared key.

Unfortunately, Windows 7 throughout Windows 10 version 1803 do not support IPsec pre-shared keys. Setting up certificates that Windows trusts is cumbersome, and I could not find any official documentation about it. There are some slides from a third-party workshop titled "IKEv2 zwischen Windows 7 und Gateway mit Zertifikaten (PKCS#12)", with screenshots and some notes, but not a lot of in-depth information. There is no official documentation for Linux, and very little elsewhere. Proprietary VPN clients for Windows are suggested, and they require license fees.

My advise is to forget the built-in VPN feature. Set up a port forward to an internal OpenVPN server, and be done with it.

IPv6 and DNS
If you are running a network with a Windows domain controller, you will probably need to disable DHCP on the router, because Windows clients need to use a special DNS server that delivers domain information.

Beware because the Digitalisierungsbox Premium has a hidden DHCPv6 server. Say you go to "Internet & Netzwerk", "Mehr anzeigen", "DHCPv6-Server", and everything you see there is empty. That does not mean it is disabled. If the IPv6 configuration on your Windows computers is set to automatic, they will receive an IPv6 DNS server from the router. The DNS server and the standard gateway will both be the router's link-local IPv6 address. Windows will prefer IPv6 over IPv4, so your IPv4 domain/DNS servers will get bypassed. Hard-to-explain domain misbehaviour will ensue.

In order to disable this on the router, you need to navigate the following menus:

Internet & Netzwerk Mehr anzeigen IP-Konfiguration br0(VLAN-ID1) (your LAN) Click on the pencil to the right ("bearbeiten") Grundlegende IPv6-Parameter DHCP-Server -> change to "Deaktiviert", but this is still not enough Mehr anzeigen Erweiterte IPv6-Einstellungen DHCP-Modus              -> change to "Aus" DNS-Propagation: Selbst -> change to "Aus"

Afterwards, save the configuration. A router reboot does not seem necessary.

The Windows workstations will still figure out the standard gateway, which will be the router's link-local IPv6 address. But they will not receive any IPv6 DNS server address anymore.