Local network sporadically not working - cannot ssh via hostname

I have a small home network:

Fritzbox 7530 modem
Firewall
Fritzbox 4040

Could not resolve hostname yyy.

The access with browser is working.

ssh is setup for the firewall and now ssh is not working anymore.
How to search for the error ?

The settings in the Fritzbox 4040 are wrong: I have connected the computer directly to the firewall and then ssh worked.

I have tried to connect with another computer and now ssh is working.

This occurs from time to time and not always.

Make sure your target system(s) are assigned static IP otherwise portforwarding will fail.

1 Like

For both Fritzbox 7530 and 4040, there is a static IP address:

  1. Fritzbox 7530: http://192.168.178.1
  2. Fritzbox 4040: http://192.168.188.1

The firewall has also a static IP address.

Simple DNS problem. If you use your Firtzbox as a DNS server this can happen.
If you know the IP, use it and not the Hostname. You can also create a SSH config with a simple name like “firewall” and use as a HostName the IP.

The firewall has a static IP: https://192.168.0.30

and is the DNS server.

What can I do, when this problem occurs the next time ?

Try to find out why your DNS is not working.

Then I use ip a on console next time.

I have also reinstalled the firewall.
Last time, the firewall didn´t work correctly.

Why, how will it help with a DNS problem?

This is totally impossible to provide any meaningful response for

If a hostname cannot be resolved then the nameserver queried does not know about the hostname - which makes it a DNS issue.

Make sure you are using valid nameserver and configuration.

:question: if you have more than one ssh service - you need to forward two different incoming ports e.g.

local ip x:22 ← wan ip:33322
local ip x:22 ← wan ip:33323

As you stated above you have static IP - then your routing table is off.

You are operating with 3 different subnets

  • 192.168.0.0/24
  • 192.168.178.0/24
  • 192.168.188.0/24

I suggest you create a visual map of your network and take a deep dive into routing and how you create static routes to match your requirements.

1 Like

Now, the login with ssh works.

I have used the command ssh root@Sol.Firewall to login to the firewall.

If that didn´t work, the output was Could not resolve hostname root@sol.firewall.

If I was using ssh -v root@Sol.Firewall two more lines occured.
The system was reading

debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Reading configuration data /etc/ssh/ssh_config.d/20-systemd-ssh-proxy.conf

and nothing else was displayed.

This is a DNS problem. It is not a SSH or a routing problem.

I can´t set the IP address of the two Fritzbox(es) randomly.

The DNS information of the internet is delivered by the internet provider.

Your internet provider can’t know the IP of your firewall. The problem is not the DNS for Internet addresses. It is a problem with your local DNS Setup.

Today morning, the internet was very slow.
The firewall was affected.

I had the same experience - but:
that does not matter at all!

192.168.0.0/24
192.168.178.0/24
192.168.188.0/24

This is your home network, you said.
These Addresses / IP’s are local to your home network.
They are not routed through the internet.
Whatever happens out there can’t affect your home network in that IP range.

The output of ssh -v root@sol.firewall is like this, when it is working:

OpenSSH_9.8p1, OpenSSL 3.3.2 3 Sep 2024
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Reading configuration data /etc/ssh/ssh_config.d/20-systemd-ssh-proxy.conf
debug1: Connecting to sol.firewall [192.168.0.30] port 22.
debug1: Connection established.
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa_sk type -1
debug1: identity file /root/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: identity file /root/.ssh/id_ed25519_sk type -1
debug1: identity file /root/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /root/.ssh/id_xmss type -1
debug1: identity file /root/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.8
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.2
debug1: compat_banner: match: OpenSSH_7.2 pat OpenSSH_7.0*,OpenSSH_7.1*,OpenSSH_7.2*,OpenSSH_7.3*,OpenSSH_7.5*,OpenSSH_7.6*,OpenSSH_7.7* compat 0x04000002
debug1: Authenticating to sol.firewall:22 as 'root'
debug1: load_hostkeys: fopen /root/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: aes128-ctr MAC: umac-128-etm@openssh.com compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: umac-128-etm@openssh.com compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519 SHA256:2D6iPtE3dqVjmYwqSMNaLShwE9hWx8KmC2JM6FwbDX4
debug1: load_hostkeys: fopen /root/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host 'sol.firewall' is known and matches the ED25519 host key.
debug1: Found key in /root/.ssh/known_hosts:1
debug1: rekey out after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 4294967296 blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_ext_info_client_parse: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Will attempt key: /root/.ssh/id_rsa 
debug1: Will attempt key: /root/.ssh/id_ecdsa 
debug1: Will attempt key: /root/.ssh/id_ecdsa_sk 
debug1: Will attempt key: /root/.ssh/id_ed25519 
debug1: Will attempt key: /root/.ssh/id_ed25519_sk 
debug1: Will attempt key: /root/.ssh/id_xmss 
debug1: Trying private key: /root/.ssh/id_rsa
debug1: Trying private key: /root/.ssh/id_ecdsa
debug1: Trying private key: /root/.ssh/id_ecdsa_sk
debug1: Trying private key: /root/.ssh/id_ed25519
debug1: Trying private key: /root/.ssh/id_ed25519_sk
debug1: Trying private key: /root/.ssh/id_xmss
debug1: Next authentication method: password
root@sol.firewall's password: 

When this command works - then there is some kind information which links the host sol.firewall and the IP address 192.168.0.30

One place this could be is the /etc/hosts file …

That’s not an ip (address) that’s a url.
The firewalls ip appears to be 192.168.0.30.

If you know the ip won’t change you can add it to /etc/hosts. Amend a line

firewall 192.168.0.30

and your system can resolve the firwall hostname without an (external) working dns.

title adjusted

I added this line to /etc/hosts.

And what happened today morning:
I was able to update the firewall with ssh, the update of the firewall as successful and then ssh stopped working.

Just remember that /etc/hosts is a per-system-file - changes on one system is not replicated to other system.

So if you have several system which should be able to ssh into your firewall you will need to copy the host file to those other systems - or make similiar edits with the other system’s host file