Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Resolving SSH internally and externally by domain name, known hosts warning

    Scheduled Pinned Locked Moved Firewalling
    3 Posts 2 Posters 726 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      madivad
      last edited by

      I'm trying to understand what's exactly happening in the following scenario:

      I have an domain name pointing to my home IP address (like: home.mydomain.com) and when I want to SSH into it I can just type "ssh home.mydomain.com". I am forwarded to the SSH Server. This is when I am not at home.

      When I am at home I generally just type "ssh home" which also works and takes me to the server.

      I mistakenly typed the full domain from within my network and I got the "REMOTE HOST IDENTIFICATION HAS CHANGED!" warning message. Upon deleting the key and checking the key it gave me, I confirmed that key was in fact my pfSense box (confirmed by checking the key against the key for pfSense in the known hosts file).

      This happens with or without reflection enabled.

      I tried setting up a host override internally to allow for this through the DNS Resolver using:
      HOST: home
      DOMAIN: mydomain.com
      IP: internal IP of the server

      But it's still seeing the pfSense box

      It's not really a problem, I just have to remember to use either "ssh home" or "ssh home.localdomain" and all is good. But I would like to understand what's happening with the routing and how would I get around this if I really wanted to achieve "ssh home.mydomain.com" (I suppose this could have other use cases, eg using the same domain name internally and externally for a local webserver, but for me in this situation, it is in relation to ssh).

      As a follow on, what would be the difference between doing this for a local webserver?

      My initial thoughts on this is simply because it's SSH on port 22 and being internal, the external IP resolves to the pfSense box, but since it's originating inside the network, pfSense wants to process the request and allow me access to it, but my computer is saying, "hey this isn't the box you want". Obviously, addressing pfSense directly works.

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        If your internal.. Just create a host override for what FQDN you want to use your ssh server.. Or pfsense ssh.  If you like to use home.mydomain.com then create a host override for that so when your on your network you resolve it to the internal IP.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • M
          madivad
          last edited by

          No Probs, thanks JohnP, I thought I had, but maybe I hadn't applied it. As mentioned in the OP, I had already set it up but it was accessing the pfSense box, but upon trying it when I got home, it's working as expected. Thanks again.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.