> Can you also try doing this against the template you're using for your > sys-firewall? > > qvm-features fedora-26-minimal qubes-firewall 1
I did this and restarted everything, no difference. > Yes probably. For reference, to check (or enable): > - go to start menu/System Tools/Qube Manager > - right click sys-net/Qube Settings/Services tab > - clocksync should be in the list and ticked if not type clocksync and click > on + > - I think a full reboot is required. There are probably ways to avoid it... clocksync is checked. > I am confused, did you do this in sys-net or sys-firewall. Because sys-net > would have a default route and a route for your Lan. You may have tripped the > info which is fine. In fact I left the default routes away and just focused on the missing one. When I start sys-firewall a new network interface is added (vifx.0) where x is a number. "ifconfig -a" displays: vif3.0: flags=4098<BROADCAST,MULTICAST> mtu 1500 (and also 2 default interfaces: enp0s0 and lo, which are both UP and RUNNING) I noticed here that "UP" / "RUNNING" is missing for the vif, therefore I have to "up" it myself. This might be part of the problem, since it has to be running in order to add a new route (which should be done automatically). So "route" in sys-net displays only the default routes: Destination Gateway Genmask Flags Metric Ref Use Iface default gateway 0.0.0.0 UG 100 0 0 enp0s0 192.168.0.0 0.0.0.0 255.255.255.0 U 100 0 0 enp0s0 So if I add the route myself it additionally displays: 10.137.0.6 0.0.0.0 255.255.255.255 U 100 0 0 vif3.0 So far so good, the values in sys-net are looking "ok" to me now. Or am I missing something? > on sys-firewall, you are probably going to need to ifconfig eth0 up and you > should have something like this: > -bash-4.4# netstat -nr > Kernel IP routing table > Destination Gateway Genmask Flags MSS Window irtt Iface > 0.0.0.0 10.137.0.14 0.0.0.0 UG 0 0 0 eth0 > 10.137.0.14 0.0.0.0 255.255.255.255 UH 0 0 0 > eth0 On sys-firewall eth0 and lo are UP and RUNNING, but "route" takes around 20 seconds to finish and displays: Destination Gateway Genmask Flags Metric Ref Use Iface default gateway 0.0.0.0 UG 0 0 0 eth0 gateway 0.0.0.0 255.255.255.255 UH 0 0 0 eth0 The long waiting time before "route" finishes makes me wonder... I deleted the default routes and recreated them. I also restarted the eth0 interface. When I try to ping 8.8.8.8 from sys-firewall I get: >From 10.137.0.6 icmp_seq=1 Destination Host Unreachable >From 10.137.0.6 icmp_seq=2 Destination Host Unreachable ... I also switched the templates of sys-net and sys-firewall to debian-9, but the result is the same (vif down in sys-net, no route for vif). The more I try to fix this, I get a feeling that the root of the problem lies inside sys-net. It seems like the vif in sys-net does not get "up", which breaks the setup/initialization script (or maybe it breaks earlier, I don't know). If I knew, which steps have to be done to set up network between a VM, sys-firewall and sys-net correctly, I could try to pinpoint the problem better. What happens exactly behind the scenes when sys-firewall starts and uses sys-net as netVM? Also I was thinking if iptables might be involved here?! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/785727e5-718e-4709-b395-3dd2ebfbc647%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
