$ ifconfig
enp0s0f0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
ether a0:36:9f:97:ce:24 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
enp0s0f1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.0.1.233 netmask 255.255.0.0 broadcast 10.0.255.255
inet6 fe80::9934:506d:1243:9213 prefixlen 64 scopeid 0x20<link>
ether a0:36:9f:97:ce:26 txqueuelen 1000 (Ethernet)
RX packets 155843244 bytes 227740975446 (212.1 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 97508817 bytes 32454133642 (30.2 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1 (Local Loopback)
RX packets 52 bytes 3644 (3.5 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 52 bytes 3644 (3.5 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
vif7.0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.137.4.1 netmask 255.255.255.255 broadcast 0.0.0.0
inet6 fe80::fcff:ffff:feff:ffff prefixlen 64 scopeid 0x20<link>
ether fe:ff:ff:ff:ff:ff txqueuelen 32 (Ethernet)
RX packets 80035111 bytes 775715569 (739.7 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 155646140 bytes 60288462 (57.4 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
vif9.0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.137.4.1 netmask 255.255.255.255 broadcast 0.0.0.0
inet6 fe80::fcff:ffff:feff:ffff prefixlen 64 scopeid 0x20<link>
ether fe:ff:ff:ff:ff:ff txqueuelen 32 (Ethernet)
RX packets 76996 bytes 5962260 (5.6 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 36328 bytes 3932143 (3.7 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
Basically I want no filtering of packets in/out through this NetVM. Both the NetVM and any VM connected through it can ping outside IPs, but no machines on the local network can PING into Qubes.
Do I need to set up a ProxyVM to allow all traffic in?
Thank you for the link. It provided a good foundation.
> But this may not be what you want. It reads as if you want to have
> sys-net operating as a router. You can do this quite simply by changing
> the iptables configuration and using proxy arp to make sure that the
> external network sees the qubes behind the router.
> Alternatively you could use the netvm as a gateway to the network of
> qubes, and make sure that THAT route is propagated on your internal
> network.
Thank you, it seems like using proxy arp is the way to go for me. That way I can still use a dynamic address for my NetVM.
I'm getting back to this thread, still haven't got everything working:
My NetVM is connected to a local network 10.0.0.0/16, and gets a dynamic IP via DHCP.
AppVMs connect directly to the NetVM, without any firewall, and all firewall rules has been removed from NetVM.
All networking is now working fine, both between AppVMs and from AppVMs and into the 10.0.0.0/16 network.
Now I need to have the AppVMs available from the 10.0.0.0/16 network...
Where do I need to enable arp_proxy to make this happen? Only on the NetVM interface connected to the 10.0.0.0/16 network, or also on the vif interfaces on the NetVM, or in the AppVMs also??
Yes, I know about Qubes-network-server, but I was hoping to get this working without requiring static IPs for AppVMs, and also better support for Windows VMs.
So my local network is 10.0.0.0/16 and default GW for all DHCP clients (including my NetVM) is 10.0.0.7
The dynamic IP of the NetVM might be 10.0.1.23. So if a client on my "outside" network try to contact an AppVM (10.137.4.23 for example), will it send an arp-request (letting arp_proxy do it's trick), or will it just send the packet to default GW (who currently has no route to 10.137.4.0/24)?