Access external Windows/Samba local network from Qubes OS

User Support General
1

Hello, friends.
I tried to access NAS and Network Printer on my local network from Qubes VM , but I did not have any luck. May be it is an easy thing to do, but I do not get it.

I’ve created a separate VM and connected it directly to sys-net. Then I realized that I should install Samba into Fedora Template. Then tried SMB from sys-net, but could not access local network anyway. I am sure that I’ve made some kind of mistake, but I did so many tries from different manuals that it is better to start from the scratch.

Can anyone reproduce steps on how to access Samba Network/NAS/Network Printer from QubesOS? I think it would be a valuable information for Qubes OS site, as NASes and Network Printers are very useful pieces of equipment.

2

On the docs there are instructions on how to configure a network printer. If the issue is related to you samba one, maybe you can try to follow that tutorial and see if there is anything (firewall-related) that you’re missing.

3

Thank you for trying to help me. I’ve seen the article, it has a lot words, but too little sense. Let me quote it here:

  1. Start the “Printer Settings” App in a template VM
  2. Add/Configure the printer in the same way as one would do on any normal Linux. … One can use Qubes Manager to modify firewall rules for particular VMs. (What rules?)
  3. Test the printer by printing a test page.
  4. … If it doesn’t then probably the AppVM doesn’t have networking access to the printer – in that case adjust the firewall settings for that AppVM in Qubes Manager. (That was a powerful troubleshooting advice!)
  5. Alternatively if you do not want to modify the firewall rules of the template VM … , start or restart an AppVM based on the template and test printing there.

I’ve assumed that I’m missing something very basic, as I did not find any help in the internet. Seems that it somehow connected to Qubes Firewall. NetVM (sys-net) doesn’t seem to have any firewall as when I try to access it I get the message

This qube has networking disabled (Basic → Networking) - network will be disabled. If you want to use firewall, please enable networking.

It makes sense, I need to go to the Qube (AppVM) settings and connect it to the machine that provides network. As long as networking Virtual Machine provides network itself, then you should not connect it to any other VM.

Still, according to this instruction, networking VMs actually have one, iptables commands should be added to /rw/config/qubes-firewall-user-script .

The only networking HowTo for the Qubes OS I have found is Playing with Qubes Networking for Fun and Profit, but it seems to be a little bit outdated.

So, I try to find help here, praying someone will descent to human being and enlighten a soul with the divine knowledge.

1 Like
4

It would be very much easier to help you if you gave a little more
information than " I did not have any luck" .
What have you done, other than “install Samba in fedora template”?
Do you know how to connect to a samba server from ordinary Fedora?

1 Like
5

As I wrote, I start from scratch now.

It is first time I configure samba and iptables. There is no problem with SMB, as there are tons of manuals, but firewall and routing in Qubes is something unique.

Today I have found something that could really help me. So, the steps I’ve done:

  1. I attached the VM to a NetVM that has an active network connection (in dom0):

qvm-prefs -s printnas netvm sys-net

  1. Set an IP address on the VM (my local network is in 192.168.0.100/255 range, Qubes 10.137.0.1/25)(in dom0):

qvm-prefs -s printnas ip 192.168.0.125

  1. Enabled the network server feature for printnas VM (in dom0):

qvm-features testvm routing-method forward

Now I do not know how to accomplish this step:

Do note that testvm will have the standard Qubes OS firewall rules stopping inbound traffic. To solve that issue, you can use the standard rc.local Qubes OS mechanism to alter the firewall rules in your testvm AppVM.

Do I need this to access NAS as client? What rules should I use?

6

I am now as confused as i think you are.
Your question was about accessing a samba server on the local network -
the qubes-network-server is about opening up services running on a qube
to the local network. The very opposite of what you are trying to do.

The firewall and routing in Qubes are intended to be transparent FROM
qubes to the outside. It is possible, but extremely unlikely, that
this is relevant to you.

You say that “There is no problem with SMB”, but you still have not
said what steps you have taken, or what you have learnt from the “tons
of manuals”.
Read the section on this page about accessing samba shares from Fedora:
https://docs.fedoraproject.org/en-US/fedora/f32/system-administrators-guide/servers/File_and_Print_Servers/
Try it from a terminal in the qube.

7

Try the following:

  1. Create a VM based on the fedora-32 template, set networking to sys-firewall.
  2. Open the Files application in your VM.
  3. Click on Other Locations in the sidebar.
  4. In the Connect to Server field at the bottom of the screen type:
    smb://xxxx
    where xxxx is the IP address of the NAS you are trying to connect to.
  5. Click Connect. When prompted enter the username and password.
  6. You should now be able to browse the samba shares on you NAS in the Files application.

The printer setup is a bit trickier since it will depend on what type of printer you have and how you are connecting to it.

In my case, I have a HP printer. So in the template VM where I wanted to use the printer I did the following:

  1. Installed hplip-gui (the graphical HP Printer setup application):
    sudo dnf install hplip-gui
  2. Ran hplip-gui to setup my printer:
    sudo hp-setup

Thereafter, all VM’s based on that template VM will have access to my printer.

If your printer in not a HP, then the generic process is:

  1. Start a terminal in the desired template VM.
  2. Install system-config-printer:
    sudo dnf install system-config-printer
  3. Run the following command:
    sudo system-config-printer
  4. Configure the printer (the details will vary depending on the type of printer and how it is accessed).
  5. Any VM’s that are based on this template VM will now be able to access the printer.

Notes

  1. These instructions assume you are using a template VM cloned from the fedora-32 template.
  2. Do use a clone of the fedora-32 template rather than the fedora-32 template itself, so you can delete the clone and start over if something goes wrong :). Plus you don’t want system templates like sys-net, sys-usb, etc which are based on fedora-32 having access to your printer!!