Resolving SSH internally and externally by domain name, known hosts warning

  • I'm trying to understand what's exactly happening in the following scenario:

    I have an domain name pointing to my home IP address (like: and when I want to SSH into it I can just type "ssh". I am forwarded to the SSH Server. This is when I am not at home.

    When I am at home I generally just type "ssh home" which also works and takes me to the server.

    I mistakenly typed the full domain from within my network and I got the "REMOTE HOST IDENTIFICATION HAS CHANGED!" warning message. Upon deleting the key and checking the key it gave me, I confirmed that key was in fact my pfSense box (confirmed by checking the key against the key for pfSense in the known hosts file).

    This happens with or without reflection enabled.

    I tried setting up a host override internally to allow for this through the DNS Resolver using:
    HOST: home
    IP: internal IP of the server

    But it's still seeing the pfSense box

    It's not really a problem, I just have to remember to use either "ssh home" or "ssh home.localdomain" and all is good. But I would like to understand what's happening with the routing and how would I get around this if I really wanted to achieve "ssh" (I suppose this could have other use cases, eg using the same domain name internally and externally for a local webserver, but for me in this situation, it is in relation to ssh).

    As a follow on, what would be the difference between doing this for a local webserver?

    My initial thoughts on this is simply because it's SSH on port 22 and being internal, the external IP resolves to the pfSense box, but since it's originating inside the network, pfSense wants to process the request and allow me access to it, but my computer is saying, "hey this isn't the box you want". Obviously, addressing pfSense directly works.

  • LAYER 8 Global Moderator

    If your internal.. Just create a host override for what FQDN you want to use your ssh server.. Or pfsense ssh.  If you like to use then create a host override for that so when your on your network you resolve it to the internal IP.

  • No Probs, thanks JohnP, I thought I had, but maybe I hadn't applied it. As mentioned in the OP, I had already set it up but it was accessing the pfSense box, but upon trying it when I got home, it's working as expected. Thanks again.

Log in to reply