This is not the first time, that ssh did not work correctly.
Email and browsing in the internet was working.
I think you mean that your specific use case is flaky at times.
Generally ssh work as expected. What you describe is not normal behavior, so you have one or more configuration issues in your local setup.
Connecting 3 different subnets as you described above requires knowledge of routing - this is not plugânâplay - if anything it is plugânâpray.
You have not specified the subnet or netmask, assuming that you are using /24 (254 viable addresses)
You have 2 routers
- IP 192.168.178.1/24
- IP 192.168.188.1/24
Then you have a firewall at
- IP 192.168.0.30/24
How do you route traffic from your routers to the firewall ?
Example:
If you want to route traffic between 192.168.178.0/24 and 192.168.188.0/24 you need static routing or you need to change the subnet from /24 to /16 on all network which gives a netmask of 255.255.0.0.
The example will only work if all networks are accessible through the same physical network.
The router Fritzbox 4040 (IP 192.168.188.1) sends ping to the connected computers.
I think we have a xy problem.
Have you chained the devices?
router1 â router2 â firewall
If you network is 192.168.188.0/24 with the router having 192.168.188.1 where is the other IP addresses coming from?
The addresses 192.168.178.1/24 and 192.168.0.30/24 where do they come from?
The setup is as follows:
Fritzbox 7530 (modem and router) â firewall â Fritzbox 4040 (router).
The 4 computers (3 computers and the laptop (WLAN)) and the printer are connected to Fritzbox 4040 (router).
Probably, the DNS table should be changed from the internet.
That is not going to happen
To me it looks like you have overly complicated your setup.
What brand is the firewall (sorry if I missed that info)?
re this:
Why is it like this?
Each of the FritzBox Routers already have got their own built in firewall.
And then you put another one in between them.
Each one of them in a different subnet - and your devices only use / connect through the last one in the chain (the FritzBox 4040). 
I have an Endian Firewall with a small computer.
⌠and that is, presumably, the second firewall - in between the two others (two Fritz!Box routers)
⌠three firewalls in between the internet and your devices âŚ
1 Like
You have created two extra NATted networks.
If you have used switches to chain - you may have introduced one or more additional DHCP services to your network.
Only one is allowed and so they will compete and only one will remain.
Depending on which may explain why your ssh is flaky - the route may or may not exist.
The firewall device should have two network interfaces - one eno0 as incoming - second end1 as outgoing - connecting to your router2. You must - through cabling - ensure that the devices are isolated.
But I still think you are rolling too many big guns for the target that is your local network.
2 Likes
ssh is not available from the internet.
Your issue is not related to Manjaro or updates - it is caused by how you have chosen to setup your network. For every additonal jump after the first entry point you need to manually add the necessary rules and routing.
You need to learn about network, subnet, routing and nameservers.
As I said this kind of setup is not plugânâplay but plugânâpray - it will not automagically configure itself.
You need to do some reading in books on advanced network routing
Do you want it to be? Mine isnât, unless I allow it, which I donât as I havenât enough knowledge about the security aspects, at least as of now.
My mate did for a while and caught loads of intrusion attempts. Also, on one occasion, someone managed to send something to her printer. 
I really know, was this wasâŚ
H*****.
Addendum: there is a firewall on the computer, too.
The answer is - sorry for being blunt - lack of knowledge and an expectation that network are self-configuring and self-healing.
You cannot daisy chain the units and expect it to work OOB. While it will work in outgoing direction - the incoming direction requires more consideration.
In case of someone trying to hack your local network it will be more and more difficult when one is adding more layers. In your case you have three (3) layers before a packet originating from the internet can reach your local network.
This makes the setup more difficult to penetrate - but it also makes routing valid incoming traffic - e.g. your personal SSH service - more difficult to route correct.
You need to take into consideration that you - depending on where your ssh service is placed - need to create routes through the hops - and if you want to access that same ssh service from your lan - you need to create backwards static routes to correctly address that service from the local network.
- unit 1 (Fritzbox 7530)
- incoming ip - WAN ISP assigned
- outgoing ip - 192.168.178.1/24 providing subnet 192.168.178.0/24
- unit 2 (Endian Firewall)
- incoming ip - dhcp assigned in subnet 192.168.178.0/24
- outgoing ip - 192.168.0.30/24 providing subnet 192.168.0.0/24
- unit 3 (Fritzbox 4040)
- incoming ip - dhcp asiigned in subnet 192.168.0.0/24
- outgoing ip - 192.168.188.1/24 providing subnet 192.168.188.0/24
- computer a - dhcp ip in subnet 192.168.188.0/24
- computer b - dhcp ip in subnet 192.168.188.0/24
- computer c - dhcp ip in subnet 192.168.188.0/24
- computer d - dhcp ip in subnet 192.168.188.0/24
This creates a void where devices connected to the third unit does not know anything about devices connected to first unit.
You need to explicitly configure unit 3 how it should route to the network provided by unit 1.
The lack of this routing information is creating your problem.
1 Like
Here is the IP address:
[UFW BLOCK] IN=eno1 OUT= MAC=01:00:5e:00:00:01:f0:b0:14:71:f4:8f:08:00 SRC=192.168.188.1 DST=224.0.0.1 LEN=36 TOS=0x00 PREC=0xC0 TTL=1 ID=16471 DF PROTO=2
what I see (as a lay person):
- it is a multicast packet
- it was blocked by your firewall - it didnât go anywhere
- origin was your Fritz!Box 4040 - the last in the chain
- TTL is only 1 - so it wonât even make it past the next device in the chain
but all your devices would have seen it - if it wasnât blocked - why the multicast address? ⌠no idea
From which devices firewall logs is this? You have three.
Perhaps the one in the middle of the chain?
I think you are much too terse with your information tidbits.
You get elaborate answers, spanning multiple paragraphs.
And your response tends to be very, very terse and even cryptic.
2 Likes
The firewall was hacked several times until now - I had to reinstall.
I could not login to firewall with ssh then.
No you are wrong. Nothing was hacked. You just did not correctly set up your Network and DNS.
I bet you have zero evidence for this.