On Mon, Jul 22, 2019 at 11:40:54PM -0700, alain.cor...@gmail.com wrote:
> Hello Unman,
> Thanks for your answer.
> Yes it is in fact to separate traffic. It is an security requirement.
> I've differents use cases in my project, others including port forwarding,
> DNAT and filter iptables, for that it's OK.
> But when i want create 2 sys-net for 1 firewall, the second sys-net don't
> have vif interface and so, I can't reach him from firewall.
> Is there a solution to add vif interface manualy?
> Thanks
> alain
> Le lundi 22 juillet 2019 17:44:11 UTC+2, unman a ??crit :
> >
> > On Mon, Jul 22, 2019 at 07:51:32AM -0700, alain...@gmail.com <javascript:>
> > wrote:
> > > hello,
> > > I use Qubes-os 4 on a computer which provides 2 ethernet intefaces. For
> > my
> > > project iI need to separate these 2 interfaces (sys-net1, sys-net2). But
> > i
> > > have to use only 1 firewall on which the 2 sys-net would be linked.
> > > Is it possible?
> > > I don't find the solution for the moment. One of these 2 sys-net is
> > created
> > > without vif interface...
> > > Thanks a lot!
> > > Alain
> > >
> >
> > hello Alain
> >
> > Can you explain why you only want to have one sys-firewall? It would be
> > much cleaner to separate the traffic completely.
> >
> > It *is* possible to do what you want, but you need to play with the Qubes
> > networking model, and manipulate NAT and routing on the sys-firewall.
> > In particular, you will need to attach sys-net2 as a client to
> > sys-firewall, and follow the procedures for allowing inter qube traffic.
> >
> > I've posted on this before. If you need some pointers, give some
> > more detail on your setup and needs, (and level of knowledge), and I'll
> > try to help.
> >
> > unman
Hello Alain,
Please don't top post.
What you can do is this:
Net1-----sys-net1
|
sys-firewall
| |
Net2-----sys-net2 qube
sys-net2 has sys-firewall as netvm.
Attach NIC to sys-net2.
On sys-firewall you put custom rules that allow traffic between qube and
sys-net2.
You also need to set routing correctly, modify raw table to allow
inbound traffic from Net2 on the sys-net2 vif.
If done right no configuration is needed on client qubes.
(You will, of course, need nat and filter rules on sys-net2 also.)
I do this to use openBSD HVMs as netVMs, and it works fine.
unman
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/20190726135054.qt6xwonon3th42da%40thirdeyesecurity.org.
