On Tuesday, 27 February 2018 18:46:52 UTC, thorsten...@gmail.com wrote: > > Can you also try doing this against the template you're using for your > > sys-firewall? > > > > qvm-features fedora-26-minimal qubes-firewall 1 > > I did this and restarted everything, no difference. > > > > Yes probably. For reference, to check (or enable): > > - go to start menu/System Tools/Qube Manager > > - right click sys-net/Qube Settings/Services tab > > - clocksync should be in the list and ticked if not type clocksync and > > click on + > > - I think a full reboot is required. There are probably ways to avoid it... > > clocksync is checked. > > > > I am confused, did you do this in sys-net or sys-firewall. Because sys-net > > would have a default route and a route for your Lan. You may have tripped > > the info which is fine. > > In fact I left the default routes away and just focused on the missing one. > When I start sys-firewall a new network interface is added (vifx.0) where x > is a number. > "ifconfig -a" displays: > > vif3.0: flags=4098<BROADCAST,MULTICAST> mtu 1500 > (and also 2 default interfaces: enp0s0 and lo, which are both UP and RUNNING) > > > I noticed here that "UP" / "RUNNING" is missing for the vif, therefore I have > to "up" it myself. > This might be part of the problem, since it has to be running in order to add > a new route (which should be done automatically). > So "route" in sys-net displays only the default routes: > > Destination Gateway Genmask Flags Metric Ref Use > Iface > default gateway 0.0.0.0 UG 100 0 0 enp0s0 > 192.168.0.0 0.0.0.0 255.255.255.0 U 100 0 0 enp0s0 > > So if I add the route myself it additionally displays: > > 10.137.0.6 0.0.0.0 255.255.255.255 U 100 0 0 vif3.0 > > So far so good, the values in sys-net are looking "ok" to me now. Or am I > missing something?
Yes looks good. > > > > on sys-firewall, you are probably going to need to ifconfig eth0 up and you > > should have something like this: > > -bash-4.4# netstat -nr > > Kernel IP routing table > > Destination Gateway Genmask Flags MSS Window irtt > > Iface > > 0.0.0.0 10.137.0.14 0.0.0.0 UG 0 0 0 > > eth0 > > 10.137.0.14 0.0.0.0 255.255.255.255 UH 0 0 0 > > eth0 > > On sys-firewall eth0 and lo are UP and RUNNING, but "route" takes around 20 > seconds to finish and displays: > > Destination Gateway Genmask Flags Metric Ref Use > Iface > default gateway 0.0.0.0 UG 0 0 0 eth0 > gateway 0.0.0.0 255.255.255.255 UH 0 0 0 eth0 > > The long waiting time before "route" finishes makes me wonder... This is probably just because it tries to resolve the IPs and DNS times out. if you use netstat -nr, it should be fast. > > I deleted the default routes and recreated them. I also restarted the eth0 > interface. > > When I try to ping 8.8.8.8 from sys-firewall I get: > > From 10.137.0.6 icmp_seq=1 Destination Host Unreachable > From 10.137.0.6 icmp_seq=2 Destination Host Unreachable > ... > > > I also switched the templates of sys-net and sys-firewall to debian-9, but > the result is the same (vif down in sys-net, no route for vif). > > The more I try to fix this, I get a feeling that the root of the problem lies > inside sys-net. Or the "physical" link between sys-net and sys-firewall. I believe there is a doc page (or maybe a thread here) on how to reconnect after a disconnection. could you please do the arp -an after the ping 8.8.8.8 If you have a MAC address for sys-net, then you have "wire" connectivity, otherwise, it is where the pb is. > It seems like the vif in sys-net does not get "up", which breaks the > setup/initialization script (or maybe it breaks earlier, I don't know). > > If I knew, which steps have to be done to set up network between a VM, > sys-firewall and sys-net correctly, I could try to pinpoint the problem > better. > What happens exactly behind the scenes when sys-firewall starts and uses > sys-net as netVM? > Also I was thinking if iptables might be involved here?! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/23340a00-ae9a-4886-84e3-8906be13e949%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
