Unman please help with internet connection
49 views
Skip to first unread message
BM-2cW69JUM7HDVQbJ...@bitmessage.ch
Oct 25, 2018, 2:27:06 PM10/25/18
to qubes...@googlegroups.com
Hi.
I want to get this VM configuration: Internet <-- OpenBSD(VM1) <--
Firewall(VM2) <-- AppVM(VM3)
I use OpenBSD as a NetVM. I call it VM1. I assigned the PCI network card
to this VM, and it has an em0 interface to connect to the internet.
I'd like this OpenBSD VM to be the NetVM for other Qubes, so I created a
new debian AppVM (VM2), which has no NetVM of its own, and I made it the
NetVM of Openbsd(VM1): OpenBSD(VM1) --> VM2
This made it possible to get an xnf0 interface in OpenBSD(VM1).
I have enabled IP forwarding and enabled Nat for xnf0, and I can ping
google from the xnf0 interface, meaning that it has internet access: ping
-I xnf0 8.8.8.8
I made VM2 the NetVM for VM3. VM1 --> VM2 <-- VM3
I enabled IP forwarding in VM2 and I tested some IPtables configurations
for allowing forwarding between the 2 interfaces in VM2. I made it
possible to ping the xnf0 interface in VM1 from VM3. But when I can't ping
an internet address.
Could you please tell me what I need to do in VM2 so that I can make VM2
act like a regular firewall VM, even theough it is a default Qubes NetVM?
Thanks.
I want to get this VM configuration: Internet <-- OpenBSD(VM1) <--
Firewall(VM2) <-- AppVM(VM3)
I use OpenBSD as a NetVM. I call it VM1. I assigned the PCI network card
to this VM, and it has an em0 interface to connect to the internet.
I'd like this OpenBSD VM to be the NetVM for other Qubes, so I created a
new debian AppVM (VM2), which has no NetVM of its own, and I made it the
NetVM of Openbsd(VM1): OpenBSD(VM1) --> VM2
This made it possible to get an xnf0 interface in OpenBSD(VM1).
I have enabled IP forwarding and enabled Nat for xnf0, and I can ping
google from the xnf0 interface, meaning that it has internet access: ping
-I xnf0 8.8.8.8
I made VM2 the NetVM for VM3. VM1 --> VM2 <-- VM3
I enabled IP forwarding in VM2 and I tested some IPtables configurations
for allowing forwarding between the 2 interfaces in VM2. I made it
possible to ping the xnf0 interface in VM1 from VM3. But when I can't ping
an internet address.
Could you please tell me what I need to do in VM2 so that I can make VM2
act like a regular firewall VM, even theough it is a default Qubes NetVM?
Thanks.
Squares
Oct 25, 2018, 2:39:17 PM10/25/18
to qubes...@googlegroups.com
--------------------------------------------------------------------------------------------------------
This email was sent via Anonymous email service for free.
YOU CAN REMOVE THIS TEXT MESSAGE BY BEING A PAID MEMBER FOR $19/year.
CLICK HERE =>
IP address of the sender:185.104.120.4 Message ID= 461579
--------------------------------------------------------------------------------------------------------
Hi. I want to get this VM configuration: Internet <-- OpenBSD(VM1) <-- Firewall(VM2) <-- AppVM(VM3) I use OpenBSD as a NetVM. I call it VM1. I assigned the PCI network card to this VM, and it has an em0 interface to connect to the internet. I'd like this OpenBSD VM to be the NetVM for other Qubes, so I created a new debian AppVM (VM2), which has no NetVM of its own, and I made it the NetVM of Openbsd(VM1): OpenBSD(VM1) --> VM2 This made it possible to get an xnf0 interface in OpenBSD(VM1). I have enabled IP forwarding and enabled Nat for xnf0, and I can ping google from the xnf0 interface, meaning that it has internet access: ping -I xnf0 8.8.8.8 I made VM2 the NetVM for VM3. VM1 --> VM2 <-- VM3 I enabled IP forwarding in VM2 and I tested some IPtables configurations for allowing forwarding between the 2 interfaces in VM2. I made it possible to ping the xnf0 interface in VM1 from VM3. But when I can't ping an internet address. Could you please tell me what I need to do in VM2 so that I can make VM2 act like a regular firewall VM, even theough it is a default Qubes NetVM? Thanks.
--------------------------------------------------------------------------------------------------------
This email was sent via Anonymous email service for free.
YOU CAN REMOVE THIS TEXT MESSAGE BY BEING A PAID MEMBER FOR $19/year.
CLICK HERE =>
Message ID= 461579
--------------------------------------------------------------------------------------------------------
unman
Oct 26, 2018, 7:30:02 AM10/26/18
to qubes...@googlegroups.com
On Thu, Oct 25, 2018 at 08:01:23PM +0300, Squares wrote:
>
>
>
> Hi. I want to get this VM configuration: Internet <-- OpenBSD(VM1) <--
> Firewall(VM2) <-- AppVM(VM3) I use OpenBSD as a NetVM. I call it VM1. I
> assigned the PCI network card to this VM, and it has an em0 interface
> to connect to the internet. I'd like this OpenBSD VM to be the NetVM
> for other Qubes, so I created a new debian AppVM (VM2), which has no
> NetVM of its own, and I made it the NetVM of Openbsd(VM1): OpenBSD(VM1)
> --> VM2 This made it possible to get an xnf0 interface in OpenBSD(VM1).
> I have enabled IP forwarding and enabled Nat for xnf0, and I can ping
> google from the xnf0 interface, meaning that it has internet access:
> ping -I xnf0 8.8.8.8 I made VM2 the NetVM for VM3. VM1 --> VM2 <-- VM3
> I enabled IP forwarding in VM2 and I tested some IPtables
> configurations for allowing forwarding between the 2 interfaces in VM2.
> I made it possible to ping the xnf0 interface in VM1 from VM3. But when
> I can't ping an internet address. Could you please tell me what I need
> to do in VM2 so that I can make VM2 act like a regular firewall VM,
> even theough it is a default Qubes NetVM? Thanks.
>
>
SO you have the basic structure in place.
>
>
>
> Hi. I want to get this VM configuration: Internet <-- OpenBSD(VM1) <--
> Firewall(VM2) <-- AppVM(VM3) I use OpenBSD as a NetVM. I call it VM1. I
> assigned the PCI network card to this VM, and it has an em0 interface
> to connect to the internet. I'd like this OpenBSD VM to be the NetVM
> for other Qubes, so I created a new debian AppVM (VM2), which has no
> NetVM of its own, and I made it the NetVM of Openbsd(VM1): OpenBSD(VM1)
> --> VM2 This made it possible to get an xnf0 interface in OpenBSD(VM1).
> I have enabled IP forwarding and enabled Nat for xnf0, and I can ping
> google from the xnf0 interface, meaning that it has internet access:
> ping -I xnf0 8.8.8.8 I made VM2 the NetVM for VM3. VM1 --> VM2 <-- VM3
> I enabled IP forwarding in VM2 and I tested some IPtables
> configurations for allowing forwarding between the 2 interfaces in VM2.
> I made it possible to ping the xnf0 interface in VM1 from VM3. But when
> I can't ping an internet address. Could you please tell me what I need
> to do in VM2 so that I can make VM2 act like a regular firewall VM,
> even theough it is a default Qubes NetVM? Thanks.
>
>
Little more is needed. As I recall, setting DNS on the qubes downstream
of fw, and routing correctly between the qubes and openBSD.
Also there is an unholy mix of iptables and nftables, although I *may*
have tidies that up.
I'm away from home at the moment. When I get back I'll check the
openBSD setup, and post back, probably tomorrow evening.
cheers
unman
unman
Oct 30, 2018, 8:29:09 AM10/30/18
to qubes...@googlegroups.com
Here's what I do:
On VM2:
ip route add default via <VM1_IP>
iptables -I FORWARD -i vif+ -o vif+ -j ACCEPT - Note that this allows
*all* traffic to pass between qubes connected to VM2 - adjust as you
wish.
iptables -t raw -I PREROUTING -i <vif interface to which VM1 is connected> -j ACCEPT
iptables -t nat -I PR-QBS -p udp --dport 53 -j DNAT --to 9.9.9.9
That's it.
You'll find that qubes attached to VM2 will use DNS server 9.9.9.9, and
traffic will exit via VM1
You can (and should) have a firewall running on VM1.
Obviously, you can harden this a good deal.
With this set-up you can use standard qubes networking and the rules
will be enforced on VM2.
I always prefer it when there's no need to reconfigure qubes or
the Qubes networking infrastructure, so you can switch a qube between
this and standard arrangement or vpn as you wish.
unman
Reply all
Reply to author
Forward
0 new messages