VLAN to AppVM ?

128 views
Skip to first unread message

Marcus Dilger

unread,
Mar 22, 2017, 8:10:47 AM3/22/17
to qubes-users
Hello,
i try to connect a group of AppVMs to different VLAN Networks. The VLAN networks are available at the physical network adapter (LAN Adapter).

What i have done :
Setup up an VLAN Interface in the netVM via NetworkManager, that Interface is already visible via ifconfig and also get a IP from the DHCP Server of the VLAN.

But i have no idea how to connect a sys-firewall / proxy vm to that additional VLAN interface of the netVM ? Is that the best approach at all ? Or maybe it is possible to have multiple netVM for each VLAN ?

Thank you,
best
Marcus


Dominique St-Pierre Boucher

unread,
Mar 22, 2017, 8:39:26 AM3/22/17
to qubes-users
Interesting question, I don't think that will work right out of the box... I would suggest having a second network card with a second netvm in order to do this easily... But I would love to have a netvm that could redirect to different Firewallvm based on vlan!

Dominique

Unman

unread,
Mar 22, 2017, 12:14:56 PM3/22/17
to Dominique St-Pierre Boucher, qubes-users
The obvious route would be to use iptables to separate the traffic to
the different interfaces - it's really no different from routing some
traffic through a VPN interface.

I'd suggest adding another firewall/proxy to your sys-net.
You want some FORWARD rules that restrict traffic from firewallA to the
vlan interface and drop anything else.
Something as simple as this might do:

iptables -I FORWARD -o <vlan iface> -j DROP
iptables -I FORWARD -s firewallA -j DROP
iptables -I FORWARD -s firewallA -o <vlan iface> -j ACCEPT

You will need to set those rules in /rw/config/rc.local, and also have
similar rules to set them in the event of a network event - that's in
/rw/config/qubes-firewall-user-script

hth

unman

Marcus Dilger

unread,
Mar 22, 2017, 5:10:16 PM3/22/17
to qubes-users, domin...@gmail.com, un...@thirdeyesecurity.org
Thank you for your answer. I get the point with IPtables. But I lost with the VM Stack structure ..

Lets say Trunk contain 3 type of packets for e.g. Packets without VLAN, with VLAN100 and VLAN200

So may be the stack could be:

=> LAN Adapter => Trunk
=> netVM => Trunk
=> sys-Firewall => Trunk
=> sys-Proxy + add Interface for VLAN200 + IPTables => VLAN200
=> AppVM

Will the VM's connected to netVM also see trunk traffic ?

Thanks
Marcus

Marcus Dilger

unread,
Mar 24, 2017, 2:31:20 PM3/24/17
to qubes-users
No way. Still not succeeded. Only the netVM get VLAN traffic. All VMs behind (i.e. firewall, proxy) get untagged traffic only.
What functional is an additional VLAN interface in netVM for tagged traffic. But i have no idea how to configure the firewall / proxy VM behind to connect to that additional interface.

Any help would appreciated.

Thanks,
best
Marcus
Reply all
Reply to author
Forward
0 new messages