Subdomain to another private ip adress

By Posted on

QUESTION :

I’m currently not able to ssh to my machine number 2 from outside of the local network. See the following image for an overview.

Image of my setup:

enter image description here

I would like to ssh to this machine without being on the local network.

My DNS-settings from the DNS-server

@    Type  TTL   Prio Data
     A     300   0    1.2.3.4

foo  Type  TTL   Prio Data
     CNAME 3600  0    192.168.0.15

bar  Type  TTL   Prio Data
     A     3600  0    192.168.0.15

I’ve tried both CNAME and A for the private ip, but I am unable to connect to it using ssh.

I also have the following rule for port forwarding

IP            Local port External port 
192.168.0.15  22 - 22    33 - 33 
192.168.0.04  22 - 22    22 - 22

The following works(from outside of the network):

$ ssh user@example.com

The following does not work(from outside of the network):

$ ssh user@foo.example.com

or

$ ssh user@bar.example.com

EDIT 1:

Changed faulty IP-addresses.

Changed the port forwarding. The port 33 is now redirected to 192.168.0.15.

It works now to $ ssh -p 33 user@example.com. But not with a subdomain.

ANSWER :

Let me state this a bit clearer:

RFC1918 IPs are not routeable via the Internet. By design.

Why?
I have an 192.160.0.x/24 range at home? Are you trying to route to my servers?
Or my neighbour, who probably also has something in 192.168..?
Or his neighbour?

etc etc.

That range is for your own local usage only. It is not reachable via the Internet.

If you assign foo.example.com to 192.168.0.15 then feel free to use that one a local nameserver for your local network and it will be fine. But you cannot use it from outside your local network.

The following does not work(from outside of the network):
$ ssh user@foo.example.com

As it should (not). If the IP resolves that you are doing an ssh to 192.168.0.15 (port 22).
To whatever sites local 192.168.0.15 is (not the PC in your place, nor the NATting router!)
So the router does not receive anything. Ignore port forwarding. If you receive nothing then there is nothing to apply it to.

Now to what you can do:

If you only have one public IP then you can only have one IP:port tuplet. With one IP the IP is fixed. Thus you can only forward the port.

E.g:
ssh 1.2.3.4 2022 and portforward that to 192.168.0.15
ssh 1.2.3.4 3022 and portforward that to 192.168.0.4

With only one IP all domain should resolve to your 1.2.3.4 IP.

Alternatively, get more IPs. At least one unique public IP per host was what the Internet was designed around. You only run into this problem because you are using NAT, which is a way to work around us running out of IP v4 addresses.

Luckily we know that was coming and in the last two decades IP v6 has been rolled out. If you can use that then you have more IPs than you need and you can just ssh to to puplic (IP v6) addresses.

Again I can’t just comment… anyway. You probably won’t be able to get it as easy as using a subdomain except if you do some voodoo on your router.

The problem is the only reachable address from an external access point is your internet IP (1.2.3.4) so your subdomains would need to point to that address as well. What’s already working is that you can use different ports.

If you wanted to make this work using subdomains, you’d have to come up with a way that allows you to forward packages based on the DNS name that is being asked for. This isn’t going to be easy and usually would be some kind of Deep Packet Inspection as you’d really dig into the data-stream to get that kind of information while routing (normally) is done on a lower communication layer.

Another option would be to get a second public IP (which might also be difficult with a normal ISP). Thus you could point your first external IP to your first machine and your second external IP to your second machine. This would also be just a kind of NAT.

Yet another way to get around this, would be to setup a whole VPN so you’re actually “in” the network and as such would be able to resolve those private IPs.

Edit: As I was curious I dug around a bit (my DNS knowledge isn’t my strongest) but it looks like you might use a SRV record to point your subdomain to your toplevel domain on a different port. So foo.exmaple.com would resolve to example.com:33, at least according to this thread: https://stackoverflow.com/questions/19015138/how-to-redirect-dns-to-different-ports

This is probably some setup that isn’t that usual … so you might run into some walls.

Leave a Reply

Your email address will not be published. Required fields are marked *