HELP: TemplateVM's have lost internet access
sectest...@gmail.com
I can ping sys-firewall, but not the internet. firefox also lost access.
Also tested with the debian-8 template, & fedora-23-minimal template. None have Internet access.
I CAN access the internet using VM's based on the templates, BUT Not with actual template its self.
Im sure the template VM's used to be able to access internet after i first installed Qubes. Has an update caused this problem?
Im running Qubes R3.2
Ive tried restarting the VM's & rebooting the entire computer. What should i try next?
Thanks
SEC Tester
I just ran qvm-revert-template-changes fedora-23
Unfortunately still not able to ping out to the internet from templateVM.
Could sys-firewall config be causing this? I havent even played with those settings tho.
Drew White
There are different things that can cause this.
At some points, just re-creating the NetVM will cure the issue.
So in global settings, set there to be no default NetVM.
Then unset the NetVM from any Guests.
Then delete it and re-create it.
Then reassign it as default.
That cures mine WHEN it happens, which is rare to see any more, but it does happen.
Drew White
And don't forget to re-assign the NIC to the NetVM.
SEC Tester
It wasn't possible to 100% follow your instructions;
In "Global settings" it doesn't seem possible to set the default "netVM" to "none". It only lists choices of netVM or ProxyVMs. I left it set to "sys-firewall".
I followed the rest of your instructions. Deleted the sys-net VM, created a new one.
re-assigned the network adapter with qvm-pci -a <vmname> <bfd>
when setting sys-net as default netVM, the templates can ping the Internet. BUT shouldnt i keep everything proxied through sys-firewall?
Or is there some reason the templates cant go through the sys-firewall? and must go through sys-net?
It seems more clear at this point the sys-firewall is responsible for stopping the templates internet. But i dont know why?
I could set the template netVM to sys-net, but would prefer to solve this if possible?
Look forward to your reply.
Unman
https://www.qubes-os.org/doc/software-update-vm/
and check the sections on "allowing networking for software update" and
"Updates proxy".
By default templates are prohibited from accessing the internet except
via the update proxy. This is a security measure.
If a template is compromised then all qubes based on it will be
compromised. The default setup is a small step toward providing some
protection. It restricts access from a template to the update proxy
service running on the upstream proxyVM, in your case sys-firewall.
Drew's advice addresses another issue - not yours.
I don't believe that the templates would ever have had internet access.
You say that you need internet access to install software: you can
either temporarily allow access as detailed on the above page - not
advisable because of a bug that doesn't then reset the firewall rules, so
"temporarily" is a complete misnomer - OR access the software source in a
qube and then copy it across to the template.
Perhaps I've misunderstood your problem. If so, apologies.
unman
SEC Tester
You might be right about them never having internet access. Because dnf & yum works, i think i assumed the internet work.
The reason i actually found this issues, was because i was ping testing, trying to solve a problem i was having setting up a VPN ProxyVM.
(See this thread i just posted)
https://groups.google.com/forum/#!topic/qubes-users/T0wbCuIgISg
When i found the templates couldnt ping the internet, it sent me down this path trying to trouble shoot.
I can still dnf yum etc now even while on sys-firewall. So we can consider this "issue" solved.
Thank you Unman & Drew.