is it possible to have two sys-net for one firewall vm?
106 views
Skip to first unread message
alain....@gmail.com
Jul 22, 2019, 10:51:33 AM7/22/19
to qubes-users
hello,
I use Qubes-os 4 on a computer which provides 2 ethernet intefaces. For my project iI need to separate these 2 interfaces (sys-net1, sys-net2). But i have to use only 1 firewall on which the 2 sys-net would be linked.
Is it possible?
I don't find the solution for the moment. One of these 2 sys-net is created without vif interface...
Thanks a lot!
Alain
I use Qubes-os 4 on a computer which provides 2 ethernet intefaces. For my project iI need to separate these 2 interfaces (sys-net1, sys-net2). But i have to use only 1 firewall on which the 2 sys-net would be linked.
Is it possible?
I don't find the solution for the moment. One of these 2 sys-net is created without vif interface...
Thanks a lot!
Alain
unman
Jul 22, 2019, 11:44:11 AM7/22/19
to qubes-users
Can you explain why you only want to have one sys-firewall? It would be
much cleaner to separate the traffic completely.
It *is* possible to do what you want, but you need to play with the Qubes
networking model, and manipulate NAT and routing on the sys-firewall.
In particular, you will need to attach sys-net2 as a client to
sys-firewall, and follow the procedures for allowing inter qube traffic.
I've posted on this before. If you need some pointers, give some
more detail on your setup and needs, (and level of knowledge), and I'll
try to help.
unman
alain....@gmail.com
Jul 23, 2019, 2:40:54 AM7/23/19
to qubes-users
Hello Unman,
Thanks for your answer.
Yes it is in fact to separate traffic. It is an security requirement.
I've differents use cases in my project, others including port forwarding, DNAT and filter iptables, for that it's OK.
But when i want create 2 sys-net for 1 firewall, the second sys-net don't have vif interface and so, I can't reach him from firewall.
Is there a solution to add vif interface manualy?
Thanks
alain
Le lundi 22 juillet 2019 17:44:11 UTC+2, unman a écrit :
Thanks for your answer.
Yes it is in fact to separate traffic. It is an security requirement.
I've differents use cases in my project, others including port forwarding, DNAT and filter iptables, for that it's OK.
But when i want create 2 sys-net for 1 firewall, the second sys-net don't have vif interface and so, I can't reach him from firewall.
Is there a solution to add vif interface manualy?
Thanks
alain
Le lundi 22 juillet 2019 17:44:11 UTC+2, unman a écrit :
Jon deps
Jul 24, 2019, 8:23:28 PM7/24/19
to qubes...@googlegroups.com
On 7/22/19 2:51 PM, alain.cordat-Re5J...@public.gmane.org
wrote:
I know this is unrelated but when I look at Xentop I see two sys-net
and 1 sys-firewall and 2 sys-vpn (appbased proxy VMs)
but in Qubes manager there is 1 sys-net and 1 sys-vpn is this normal
or what might cause this ?
wrote:
and 1 sys-firewall and 2 sys-vpn (appbased proxy VMs)
but in Qubes manager there is 1 sys-net and 1 sys-vpn is this normal
or what might cause this ?
brenda...@gmail.com
Jul 26, 2019, 6:36:19 AM7/26/19
to qubes-users
Use xentop -f to show full names.
Those are likely the stub domains used for device handling, etc.
unman
Jul 26, 2019, 9:50:56 AM7/26/19
to qubes-users
On Mon, Jul 22, 2019 at 11:40:54PM -0700, alain....@gmail.com wrote:
> Hello Unman,
> Thanks for your answer.
> Yes it is in fact to separate traffic. It is an security requirement.
> I've differents use cases in my project, others including port forwarding,
> DNAT and filter iptables, for that it's OK.
> But when i want create 2 sys-net for 1 firewall, the second sys-net don't
> have vif interface and so, I can't reach him from firewall.
> Is there a solution to add vif interface manualy?
> Thanks
> alain
> Le lundi 22 juillet 2019 17:44:11 UTC+2, unman a ??crit :
> Hello Unman,
> Thanks for your answer.
> Yes it is in fact to separate traffic. It is an security requirement.
> I've differents use cases in my project, others including port forwarding,
> DNAT and filter iptables, for that it's OK.
> But when i want create 2 sys-net for 1 firewall, the second sys-net don't
> have vif interface and so, I can't reach him from firewall.
> Is there a solution to add vif interface manualy?
> Thanks
> alain
> >
> > On Mon, Jul 22, 2019 at 07:51:32AM -0700, alain...@gmail.com <javascript:>
> > wrote:
> > > hello,
> > > I use Qubes-os 4 on a computer which provides 2 ethernet intefaces. For
> > my
> > > project iI need to separate these 2 interfaces (sys-net1, sys-net2). But
> > i
> > > have to use only 1 firewall on which the 2 sys-net would be linked.
> > > Is it possible?
> > > I don't find the solution for the moment. One of these 2 sys-net is
> > created
> > > without vif interface...
> > > Thanks a lot!
> > > Alain
> > >
> >
> > hello Alain
> >
> > Can you explain why you only want to have one sys-firewall? It would be
> > much cleaner to separate the traffic completely.
> >
> > It *is* possible to do what you want, but you need to play with the Qubes
> > networking model, and manipulate NAT and routing on the sys-firewall.
> > In particular, you will need to attach sys-net2 as a client to
> > sys-firewall, and follow the procedures for allowing inter qube traffic.
> >
> > I've posted on this before. If you need some pointers, give some
> > more detail on your setup and needs, (and level of knowledge), and I'll
> > try to help.
> >
> > unman
Hello Alain,
> > > hello,
> > > I use Qubes-os 4 on a computer which provides 2 ethernet intefaces. For
> > my
> > > project iI need to separate these 2 interfaces (sys-net1, sys-net2). But
> > i
> > > have to use only 1 firewall on which the 2 sys-net would be linked.
> > > Is it possible?
> > > I don't find the solution for the moment. One of these 2 sys-net is
> > created
> > > without vif interface...
> > > Thanks a lot!
> > > Alain
> > >
> >
> > hello Alain
> >
> > Can you explain why you only want to have one sys-firewall? It would be
> > much cleaner to separate the traffic completely.
> >
> > It *is* possible to do what you want, but you need to play with the Qubes
> > networking model, and manipulate NAT and routing on the sys-firewall.
> > In particular, you will need to attach sys-net2 as a client to
> > sys-firewall, and follow the procedures for allowing inter qube traffic.
> >
> > I've posted on this before. If you need some pointers, give some
> > more detail on your setup and needs, (and level of knowledge), and I'll
> > try to help.
> >
> > unman
Please don't top post.
What you can do is this:
Net1-----sys-net1
|
sys-firewall
| |
Net2-----sys-net2 qube
sys-net2 has sys-firewall as netvm.
Attach NIC to sys-net2.
On sys-firewall you put custom rules that allow traffic between qube and
sys-net2.
You also need to set routing correctly, modify raw table to allow
inbound traffic from Net2 on the sys-net2 vif.
If done right no configuration is needed on client qubes.
(You will, of course, need nat and filter rules on sys-net2 also.)
I do this to use openBSD HVMs as netVMs, and it works fine.
unman
alain....@gmail.com
Aug 8, 2019, 7:51:34 AM8/8/19
to qubes-users
Hi Unman,
That works well!
Thanks!!!!
alain
Reply all
Reply to author
Forward
0 new messages