Subdomain to another private ip adress

Posted on


I’m currently not able to ssh to my machine number 2 from outside of the local network. See the following image for an overview.

Image of my setup:

enter image description here

I would like to ssh to this machine without being on the local network.

My DNS-settings from the DNS-server

@    Type  TTL   Prio Data
     A     300   0

foo  Type  TTL   Prio Data
     CNAME 3600  0

bar  Type  TTL   Prio Data
     A     3600  0

I’ve tried both CNAME and A for the private ip, but I am unable to connect to it using ssh.

I also have the following rule for port forwarding

IP            Local port External port  22 - 22    33 - 33  22 - 22    22 - 22

The following works(from outside of the network):

$ ssh

The following does not work(from outside of the network):

$ ssh


$ ssh 


Changed faulty IP-addresses.

Changed the port forwarding. The port 33 is now redirected to

It works now to $ ssh -p 33 But not with a subdomain.


Let me state this a bit clearer:

RFC1918 IPs are not routeable via the Internet. By design.

I have an 192.160.0.x/24 range at home? Are you trying to route to my servers?
Or my neighbour, who probably also has something in 192.168..?
Or his neighbour?

etc etc.

That range is for your own local usage only. It is not reachable via the Internet.

If you assign to then feel free to use that one a local nameserver for your local network and it will be fine. But you cannot use it from outside your local network.

The following does not work(from outside of the network):
$ ssh

As it should (not). If the IP resolves that you are doing an ssh to (port 22).
To whatever sites local is (not the PC in your place, nor the NATting router!)
So the router does not receive anything. Ignore port forwarding. If you receive nothing then there is nothing to apply it to.

Now to what you can do:

If you only have one public IP then you can only have one IP:port tuplet. With one IP the IP is fixed. Thus you can only forward the port.

ssh 2022 and portforward that to
ssh 3022 and portforward that to

With only one IP all domain should resolve to your IP.

Alternatively, get more IPs. At least one unique public IP per host was what the Internet was designed around. You only run into this problem because you are using NAT, which is a way to work around us running out of IP v4 addresses.

Luckily we know that was coming and in the last two decades IP v6 has been rolled out. If you can use that then you have more IPs than you need and you can just ssh to to puplic (IP v6) addresses.

Again I can’t just comment… anyway. You probably won’t be able to get it as easy as using a subdomain except if you do some voodoo on your router.

The problem is the only reachable address from an external access point is your internet IP ( so your subdomains would need to point to that address as well. What’s already working is that you can use different ports.

If you wanted to make this work using subdomains, you’d have to come up with a way that allows you to forward packages based on the DNS name that is being asked for. This isn’t going to be easy and usually would be some kind of Deep Packet Inspection as you’d really dig into the data-stream to get that kind of information while routing (normally) is done on a lower communication layer.

Another option would be to get a second public IP (which might also be difficult with a normal ISP). Thus you could point your first external IP to your first machine and your second external IP to your second machine. This would also be just a kind of NAT.

Yet another way to get around this, would be to setup a whole VPN so you’re actually “in” the network and as such would be able to resolve those private IPs.

Edit: As I was curious I dug around a bit (my DNS knowledge isn’t my strongest) but it looks like you might use a SRV record to point your subdomain to your toplevel domain on a different port. So would resolve to, at least according to this thread:

This is probably some setup that isn’t that usual … so you might run into some walls.

Leave a Reply

Your email address will not be published. Required fields are marked *