Re: [qubes-users] Networking between qubes and HVMs
On Thu, Oct 11, 2018 at 06:02:55PM -0700, jmarkdavi...@gmail.com wrote: > I guess to further clarify what I want to try to do is have sys net be > connected to the interface that is connected to my modem(to the ISP/world). > > I would like another vm to control all(or some) other > physical interfaces on my machine (access points/etc..). > > I would like a qubeVM from within the machine running qubes to be able to > connect via those physical interfaces as if they were also attached to the > physical interface. > > Ideally so that the qubes OS is segregating physical NICs along with > applications. > > So lets say FreeNAS is running inside qubes. And someone near my access point > wants to use freeNAS via wifi, they would log in via ssh or whatever over the > access point. > > But if that same someone is somewhere else they can ssh or whatever to > freeNAS via the internet and the wan NIC that sys-net controls. > That makes it much clearer to me. Thanks. There are a number of different ways to approach this, but the one that seems easiest would be something like this: sys-net -- sys-fw -- freeNAS | -- qube1 | -- wifi -- qube2 wifi is set up to "provide network" - ie it's a NetVM, and acts as access point via attached wifi. Setting up access via sys-net to freeNAS is straightforward, and already documented, as you know. I suggest you get that working first. Provisioning the wifi qube should be straightforward. You will need to set up the wifi access point, and then configure port forwarding to freeNAS. sys-fw should be the default route set on wifi qube. Depending on whether you want downstream clients (like qube2) you may want to change this. You will need to set fw rules to allow traffic between these vif interfaces. You will need to adjust routes to ensure that traffic arriving at freeNAS via wifi does not get sent out via sys-net. The simplest way to achieve this will be to use source NAT on wifi, or Masquerade, depending on your configuration. Note that qube2 can connect EITHER to freeNAS port OR to external IP of sys-net. If you don't want this, either have no qubes connected downstream of wifi, or adjust fw on wifi to block traffic from all vif interfaces to eth0. If you need help with the details, just ask. unman -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20181015125948.5rcerl6hw7s3usbm%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Networking between qubes and HVMs
I guess to further clarify what I want to try to do is have sys net be connected to the interface that is connected to my modem(to the ISP/world). I would like another vm to control all(or some) other physical interfaces on my machine (access points/etc..). I would like a qubeVM from within the machine running qubes to be able to connect via those physical interfaces as if they were also attached to the physical interface. Ideally so that the qubes OS is segregating physical NICs along with applications. So lets say FreeNAS is running inside qubes. And someone near my access point wants to use freeNAS via wifi, they would log in via ssh or whatever over the access point. But if that same someone is somewhere else they can ssh or whatever to freeNAS via the internet and the wan NIC that sys-net controls. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/bc2687fb-1cdd-422e-9ce8-583b8d3f9922%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Networking between qubes and HVMs
Its a fresh install of 4.0 and im using default sys vms. Id rather not have all these vms as the overhead is pointless. I also did not realize there was a switch, ill read up on nft. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/aa5a2ed0-37e1-4ac9-bd72-94bedfe579b3%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Networking between qubes and HVMs
On Tue, Oct 09, 2018 at 05:43:56AM -0700, jmarkdavi...@gmail.com wrote: > I am still having difficulty getting these vms to be reachable with each > other. Basically what I want to do is have a home security/automation vm, and > a freenas vm, communicate with the outside world and with the vm that > controls my access points/physical switches. > > Currently I have the usual sys-net/sys-firewall. Each service vm(access > points, freenas, etc.) Has its own firewall vm. Those fireall service vms are > all connected to sys-firewall. > > I followed the instructions in the qubes-firewall docs setting up forwarding > between the service firewalls to travel through sys-firewall. And each > service firewall vm(and their associated service vm), can ping every firewall > vm in the system. But the actual service vms themselves cannot ping each > other. > > So for example: freenas vm > freenas vm firewall > sys firewall > home > security firewall vm. > All will allow ping, but i cant get freenas to talk to home security vm, as i > intend on using the nas storage to store the camera footage. > > Similarly the home security vm can do the same amount of pings, but fails to > talk to freenas. > > I suspect NAT is the issue but lack the knowledge base to enable this to work. > > I am not particularly dead set on using all these firewall vms either but > this is the config thats gotten me the furthest so far. > I'm not sure what pourpose you had in mind when putting in those extra firewalls. Undoubtedly they will complicate matters further. Are you intent on keeping them? What template are you using for sys-firewall? The instructions should be updated to cover nft which is now the default in Fedora templates, rather than iptables. Which template are you using for sys-net? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20181010130059.kc7gqshrudxana7p%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Networking between qubes and HVMs
I am still having difficulty getting these vms to be reachable with each other. Basically what I want to do is have a home security/automation vm, and a freenas vm, communicate with the outside world and with the vm that controls my access points/physical switches. Currently I have the usual sys-net/sys-firewall. Each service vm(access points, freenas, etc.) Has its own firewall vm. Those fireall service vms are all connected to sys-firewall. I followed the instructions in the qubes-firewall docs setting up forwarding between the service firewalls to travel through sys-firewall. And each service firewall vm(and their associated service vm), can ping every firewall vm in the system. But the actual service vms themselves cannot ping each other. So for example: freenas vm > freenas vm firewall > sys firewall > home security firewall vm. All will allow ping, but i cant get freenas to talk to home security vm, as i intend on using the nas storage to store the camera footage. Similarly the home security vm can do the same amount of pings, but fails to talk to freenas. I suspect NAT is the issue but lack the knowledge base to enable this to work. I am not particularly dead set on using all these firewall vms either but this is the config thats gotten me the furthest so far. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/78a21e71-1e3a-44ef-8afd-593987b20b01%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Networking between qubes and HVMs
On Wed, Oct 03, 2018 at 10:47:20AM -0700, jmarkdavi...@gmail.com wrote: > I literally just read that and going to post an apology for repeating a > question > No problem. If you need some further pointers shout out. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20181004142031.7v4xwjagkcydgron%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Networking between qubes and HVMs
On Wed, Oct 03, 2018 at 08:10:10AM -0700, jmarkdavi...@gmail.com wrote: > I want to allow a debian qube to use a BSD qube as its network and to allow > traffic between them. The BSD sees the vif created for the debian when I do > this, but no traffic passes between them. In the firewall settings for debian > qube I get a warning that its not attached to a firewall vm so no traffic is > allowed. > Is there a way to override this? I saw in qubes docs there is a way to do > this for template based qube vms, but what about for an HVM and a qube? > There was a recent post on exactly this issue. I do this with an openBSD HVM as netvm. My solution is to attach both HVM and qubes to a (non-networked) fw. https://groups.google.com/forum/#!topic/qubes-users/iQm9-rrCDIY unman -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20181003154256.bbz3kuker5xjkq7f%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Networking between qubes and HVMs
I want to allow a debian qube to use a BSD qube as its network and to allow traffic between them. The BSD sees the vif created for the debian when I do this, but no traffic passes between them. In the firewall settings for debian qube I get a warning that its not attached to a firewall vm so no traffic is allowed. Is there a way to override this? I saw in qubes docs there is a way to do this for template based qube vms, but what about for an HVM and a qube? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/8e47d152-a963-4bec-ab42-cfa9e8379189%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.