Currently I have the usual sys-net/sys-firewall. Each service vm(access points, freenas, etc.) Has its own firewall vm. Those fireall service vms are all connected to sys-firewall.
I followed the instructions in the qubes-firewall docs setting up forwarding between the service firewalls to travel through sys-firewall. And each service firewall vm(and their associated service vm), can ping every firewall vm in the system. But the actual service vms themselves cannot ping each other.
So for example: freenas vm > freenas vm firewall > sys firewall > home security firewall vm.
All will allow ping, but i cant get freenas to talk to home security vm, as i intend on using the nas storage to store the camera footage.
Similarly the home security vm can do the same amount of pings, but fails to talk to freenas.
I suspect NAT is the issue but lack the knowledge base to enable this to work.
I am not particularly dead set on using all these firewall vms either but this is the config thats gotten me the furthest so far.
Id rather not have all these vms as the overhead is pointless.
I also did not realize there was a switch, ill read up on nft.
I would like another vm to control all(or some) other
physical interfaces on my machine (access points/etc..).
I would like a qubeVM from within the machine running qubes to be able to connect via those physical interfaces as if they were also attached to the physical interface.
Ideally so that the qubes OS is segregating physical NICs along with applications.
So lets say FreeNAS is running inside qubes. And someone near my access point wants to use freeNAS via wifi, they would log in via ssh or whatever over the access point.
But if that same someone is somewhere else they can ssh or whatever to freeNAS via the internet and the wan NIC that sys-net controls.