Windows 10 Pro HVM does not work with Mirage Firewall
110 views
Skip to first unread message
Claudio Chinicz
Apr 18, 2019, 4:53:25 AM4/18/19
to qubes...@googlegroups.com
Hi All,
Once again I turn to the Qubes Community to ask for help.
I have a Mirage Firewall VM that works with HVM (Linux Mint) and
Debian/Fedora template-based PVMs.
My Windows 10 HVM, which works just fine through sys-firewall
(copy/paste and file sharing with other VMs dont, but I can live with it).
I've tried setting up networking manually by adding its IP, mask and
gateway and rebooting but it did not work. It works with DHCP instead
when getting network through sys-firewall.
I've followed all the ideas from here
(https://www.windowscentral.com/how-regain-internet-access-after-installing-update-windows-10)
and it still did not work.
One last piece of information, my Windows 10 Pro was successfully
activated using a key I provided.
Any ideas? This is not critical, since I can continue using
sys-firewall, but would love to free some memory by using Mirage.
Thank you all in advance,
Claudio
Once again I turn to the Qubes Community to ask for help.
I have a Mirage Firewall VM that works with HVM (Linux Mint) and
Debian/Fedora template-based PVMs.
My Windows 10 HVM, which works just fine through sys-firewall
(copy/paste and file sharing with other VMs dont, but I can live with it).
I've tried setting up networking manually by adding its IP, mask and
gateway and rebooting but it did not work. It works with DHCP instead
when getting network through sys-firewall.
I've followed all the ideas from here
(https://www.windowscentral.com/how-regain-internet-access-after-installing-update-windows-10)
and it still did not work.
One last piece of information, my Windows 10 Pro was successfully
activated using a key I provided.
Any ideas? This is not critical, since I can continue using
sys-firewall, but would love to free some memory by using Mirage.
Thank you all in advance,
Claudio
Thomas Leonard
Apr 19, 2019, 5:05:45 AM4/19/19
to qubes-users
There might be clues in the firewall VM's logs. You can see them with Qubes Manager (right-click on mirage-firewall and choose Logs -> guest-mirage-firewall.log). Open the logs just after booting Windows and seeing that networking doesn't work and look at the end.
You can also do "sudo xl console mirage-firewall" in dom0 to follow the logs and then boot Windows and watch for new entries.
Claudio Chinicz
Apr 19, 2019, 7:19:28 AM4/19/19
to qubes...@googlegroups.com
Thanks in advance. Please see below logs from guest-mirage-firewall.log.
My Windows VM is 10.137.0.21.
What really surprises me is why I does not work even if I set my
ip/mask/gateway as it works with Linux Mint? What's different with Windows?
Best Regards,
Claudio
2019-04-18 11:20:10 -00:00: INF [client_net] Client 18 (IP: 10.137.0.21)
ready
2019-04-18 11:20:10 -00:00: INF [ethernet] Connected Ethernet interface
00:16:3e:5e:6c:00
2019-04-18 11:20:11 -00:00: INF [client_net] add client vif
{domid=17;device_id=0}
2019-04-18 11:20:11 -00:00: INF [qubes.db] got rm
"/qubes-iptables-domainrules/"
2019-04-18 11:20:11 -00:00: INF [qubes.db] got update:
"/qubes-iptables-header" = "# Generated by Qubes Core on Thu Apr 18
14:20:11 2019\n*filter\n:INPUT DROP [0:0]\n:FORWARD DROP [0:0]\n:OUTPUT
ACCEPT [0:0]\n-A INPUT -i vif+ -p udp -m udp --dport 68 -j DROP\n-A
INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT\n-A INPUT -p
icmp -j ACCEPT\n-A INPUT -i lo -j ACCEPT\n-A INPUT -j REJECT
--reject-with icmp-host-prohibited\n-A FORWARD -m conntrack --ctstate
RELATED,ESTABLISHED -j ACCEPT\n-A FORWARD -i vif+ -o vif+ -j DROP\nCOMMIT\n"
2019-04-18 11:20:11 -00:00: INF [qubes.db] got update:
"/qubes-iptables-domainrules/10" = "*filter\n-A FORWARD -s 10.137.0.18
-j ACCEPT\n-A FORWARD -s 10.137.0.18 -j DROP\nCOMMIT\n"
2019-04-18 11:20:11 -00:00: INF [qubes.db] got update:
"/qubes-iptables-domainrules/17" = "*filter\n-A FORWARD -s 10.137.0.21
-j ACCEPT\n-A FORWARD -s 10.137.0.21 -j DROP\nCOMMIT\n"
2019-04-18 11:20:11 -00:00: INF [qubes.db] got update:
"/qubes-iptables-domainrules/14" = "*filter\n-A FORWARD -s 10.137.0.13
-j ACCEPT\n-A FORWARD -s 10.137.0.13 -j DROP\nCOMMIT\n"
2019-04-18 11:20:11 -00:00: INF [qubes.db] got update:
"/qubes-iptables-domainrules/9" = "*filter\n-A FORWARD -s 10.137.0.8 -j
ACCEPT\n-A FORWARD -s 10.137.0.8 -j DROP\nCOMMIT\n"
2019-04-18 11:20:11 -00:00: INF [qubes.db] got update: "/qubes-iptables"
= "reload"
2019-04-18 11:20:11 -00:00: INF [qubes.db] got update:
"/mapped-ip/10.137.0.21/visible-ip" = "10.137.0.21"
2019-04-18 11:20:11 -00:00: INF [qubes.db] got update:
"/mapped-ip/10.137.0.21/visible-gateway" = "10.137.0.23"
2019-04-18 11:20:11 -00:00: INF [qubes.db] got update:
"/qubes-firewall/10.137.0.21/0000" = "action=accept"
2019-04-18 11:20:11 -00:00: INF [qubes.db] got update:
"/qubes-firewall/10.137.0.21/policy" = "drop"
2019-04-18 11:20:11 -00:00: INF [qubes.db] got update:
"/qubes-firewall/10.137.0.21" = ""
2019-04-18 11:20:11 -00:00: INF [qubes.db] got rm
"/qubes-firewall/10.137.0.21/"
2019-04-18 11:20:11 -00:00: INF [qubes.db] got update:
"/qubes-firewall/10.137.0.21/0000" = "action=accept"
2019-04-18 11:20:11 -00:00: INF [qubes.db] got update:
"/qubes-firewall/10.137.0.21/policy" = "drop"
2019-04-18 11:20:11 -00:00: INF [qubes.db] got update:
"/qubes-firewall/10.137.0.21" = ""
2019-04-18 11:20:22 -00:00: INF [client_eth] who-has 10.137.0.1?
2019-04-18 11:20:22 -00:00: INF [client_eth] unknown address; not responding
2019-04-18 11:20:22 -00:00: WRN [client_net] Incorrect source IP 0.0.0.0
in IP packet from 10.137.0.21 (dropping)
2019-04-18 11:20:22 -00:00: WRN [client_net] Incorrect source IP
10.137.0.1 in IP packet from 10.137.0.21 (dropping)
2019-04-18 11:20:22 -00:00: INF [client_eth] who-has 10.137.0.1?
2019-04-18 11:20:22 -00:00: INF [client_eth] unknown address; not responding
2019-04-18 11:20:22 -00:00: INF [client_eth] who-has 10.137.0.21?
2019-04-18 11:20:22 -00:00: INF [client_eth] ignoring request for
client's own IP
2019-04-18 11:20:22 -00:00: WRN [client_net] Ignored unknown IPv4
message: Ignoring non-TCP/UDP packet: IPv4 packet 10.137.0.21 ->
224.0.0.22: id 46e6, off 0 proto 2, ttl 1, options
94 04 00 00
2019-04-18 11:20:22 -00:00: INF [client_eth] who-has 10.137.0.21?
2019-04-18 11:20:22 -00:00: INF [client_eth] ignoring request for
client's own IP
2019-04-18 11:20:22 -00:00: INF [client_eth] who-has 10.137.0.1?
2019-04-18 11:20:22 -00:00: INF [client_eth] unknown address; not responding
2019-04-18 11:20:22 -00:00: WRN [client_net] Ignored unknown IPv4
message: Ignoring non-TCP/UDP packet: IPv4 packet 10.137.0.21 ->
224.0.0.22: id 46e7, off 0 proto 2, ttl 1, options
94 04 00 00
2019-04-18 11:20:22 -00:00: WRN [client_net] Ignored unknown IPv4
message: Ignoring non-TCP/UDP packet: IPv4 packet 10.137.0.21 ->
224.0.0.22: id 46e8, off 0 proto 2, ttl 1, options
94 04 00 00
2019-04-18 11:20:22 -00:00: WRN [client_net] Incorrect source IP 0.0.0.0
in IP packet from 10.137.0.21 (dropping)
2019-04-18 11:20:22 -00:00: WRN [client_net] Incorrect source IP
10.137.0.1 in IP packet from 10.137.0.21 (dropping)
2019-04-18 11:20:22 -00:00: WRN [client_net] Ignored unknown IPv4
message: Ignoring non-TCP/UDP packet: IPv4 packet 10.137.0.21 ->
224.0.0.22: id 46e9, off 0 proto 2, ttl 1, options
94 04 00 00
2019-04-18 11:20:22 -00:00: WRN [firewall] Failed to add NAT rewrite
rule: Cannot NAT this packet (IPv4 packet 10.137.0.21 -> 224.0.0.251: id
e7de, off 0 proto 17, ttl 1, options
UDP port 5353 -> 5353)
2019-04-18 11:20:22 -00:00: WRN [firewall] Failed to add NAT rewrite
rule: Cannot NAT this packet (IPv4 packet 10.137.0.21 -> 224.0.0.252: id
211e, off 0 proto 17, ttl 1, options
UDP port 53180 -> 5355)
2019-04-18 11:20:22 -00:00: WRN [firewall] Failed to add NAT rewrite
rule: Cannot NAT this packet (IPv4 packet 10.137.0.21 -> 224.0.0.251: id
e7df, off 0 proto 17, ttl 1, options
Thomas Leonard
Apr 22, 2019, 9:28:18 AM4/22/19
to qubes-users
> 2019-04-18 11:20:11 -00:00: INF [qubes.db] got update:
> "/mapped-ip/10.137.0.21/visible-ip" = "10.137.0.21"
> 2019-04-18 11:20:11 -00:00: INF [qubes.db] got update:
> "/mapped-ip/10.137.0.21/visible-gateway" = "10.137.0.23"
[...]> "/mapped-ip/10.137.0.21/visible-ip" = "10.137.0.21"
> 2019-04-18 11:20:11 -00:00: INF [qubes.db] got update:
> "/mapped-ip/10.137.0.21/visible-gateway" = "10.137.0.23"
> 2019-04-18 11:20:22 -00:00: INF [client_eth] who-has 10.137.0.1?
> 2019-04-18 11:20:22 -00:00: INF [client_eth] unknown address; not responding
(continued at https://github.com/mirage/qubes-mirage-firewall/issues/56)
Claudio Chinicz
Apr 28, 2019, 10:29:43 AM4/28/19
to qubes...@googlegroups.com
We've made progress investigating this issue (see on
https://github.com/mirage/qubes-mirage-firewall/issues/56) and now it
seems related to Windows drivers (I'm currently using virtual PCI
devices provided by QEMU with is Windows 10 HVM).
There may be a solution using Windows PV network driver
(https://xenproject.org/windows-pv-drivers/) but there are 5 options and
I'm not sure which ones to download and install. They are WINDOWS PV
8.2.2 BUS DRIVER (XENBUS.TAR), WINDOWS PV 8.2.2 INTERFACE
(XENIFACE.TAR), WINDOWS PV 8.2.2 NETWORK CLASS DRIVER (XENVIF.TAR),
WINDOWS PV 8.2.2 NETWORK DEVICE DRIVER (XENNET.TAR), WINDOWS PV 8.2.2
STORAGE HOST ADAPTER DRIVER (XENVBD.TAR).
One one has ever tried using Windows PV net driver with Windows HVM? any
help much appreciated.
Thanks,
Claudio
Claudio Chinicz
May 2, 2019, 9:07:01 AM5/2/19
to qubes...@googlegroups.com
Thanks to Thomas efforts and patience, now Mirage for Qubes can be used
by Windows 10 Pro (HVM) users as a lightweight alternative to sys-firewall.
For those interested, please see on GitHub:
https://github.com/mirage/qubes-mirage-firewall/issues/56
Best
Reply all
Reply to author
Forward
0 new messages