How to bridge a subnet ot the firewall

36 views
Skip to first unread message

Matt Drez

unread,
May 6, 2020, 2:18:09 PM5/6/20
to qubes...@googlegroups.com
Hey guys,

My setup is sys-net <--> firewall <--> Special Purpose Server (SPS) <--> open subnet of qubes

I setup the SPS to capture and analyze traffic. When I created the VM I marked "provides networking" so any other VM behind can connect to it and can get out to the internet.

My problem is that I don't see their individual IP addresses in the capture just a NAT'd address of SPS's eth0. I supposed I have to create a bridge somehow but that's way beyond my skills.

Could one of you geniuses please help me with a detailed walk through?

Thanks a bunch,

Matt



publickey - mattdrez@pm.me - 0x8196D0F4.asc
signature.asc

dhorf-hfre...@hashmail.org

unread,
May 6, 2020, 4:06:55 PM5/6/20
to Matt Drez, qubes...@googlegroups.com
On Wed, May 06, 2020 at 06:17:58PM +0000, 'Matt Drez' via qubes-users wrote:

> My problem is that I don't see their individual IP addresses in the
> capture just a NAT'd address of SPS's eth0. I supposed I have to
> create a bridge somehow but that's way beyond my skills.

you are simply sniffing the wrong side of the SPS.
sniff the downstream interface(s) instead of upstream.


> Could one of you geniuses please help me with a detailed walk through?

this is basic linux networking.
read some primer on "linux as a router" or so.



Matt Drez

unread,
May 6, 2020, 6:05:23 PM5/6/20
to dhorf-hfre...@hashmail.org, qubes...@googlegroups.com
> you are simply sniffing the wrong side of the SPS.
> sniff the downstream interface(s) instead of upstream.

wouldn't a tcpdump -i eth0 sniff rx tx?

I see all external IPs it is reaching out but any hosts below the SPS shows as if the traffic is coming from the SPS.


> this is basic linux networking.
> read some primer on "linux as a router" or so.
It's very educational to know that this is basic networking. Thakn you for that. If it is so trivial it must a few easy commands. Could you please provide them?

publickey - mattdrez@pm.me - 0x8196D0F4.asc
signature.asc

Jarrah

unread,
May 7, 2020, 3:47:07 AM5/7/20
to qubes...@googlegroups.com

>> you are simply sniffing the wrong side of the SPS.
>> sniff the downstream interface(s) instead of upstream.
> wouldn't a tcpdump -i eth0 sniff rx tx?

You will get the NAT'd addresses with this. You want to listen on the
vif* addresses.

eth0 is the upstream interface. In your SPS it goes to the firewall.

vif* are the downstream interfaces. They go to your VMs.


If you want the individual IP addresses, you need to listen on all of
the downstream interfaces.


Matt Drez

unread,
May 11, 2020, 11:26:44 AM5/11/20
to Jarrah, qubes...@googlegroups.com
> > > you are simply sniffing the wrong side of the SPS.
> > > sniff the downstream interface(s) instead of upstream.
> > > wouldn't a tcpdump -i eth0 sniff rx tx?
>

> You will get the NAT'd addresses with this. You want to listen on the
> vif* addresses.
Thank you. That worked. I appreciate your help.




publickey - mattdrez@pm.me - 0x8196D0F4.asc
signature.asc
Reply all
Reply to author
Forward
0 new messages