App VM unable to ping, Net VM is able to ping (Qubes 4.0)

PicoCreator · December 6, 2021, 9:50am

Trying to find the appropriate resources / command to debug the following

NetVM is able to connect to network (10gbe intel nic)
- This is probably not a HCL issue, as we are able ping from NetVM
- “Provides Network” flag is enabled for the NetVM
AppVM / Firewall VM using NetVM as “Networking”
- AppVM is unable to ping to private or public network (192.* / 8.8.8.8)
- AppVM is able to ping NetVM in qubes network (10.137.0.22)

The following is the ip a for the netvm

user@net-10g-lan:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 80:61:5f:0d:e0:5e brd ff:ff:ff:ff:ff:ff
    inet 10.137.0.22/32 brd 10.137.0.22 scope global noprefixroute ens6
       valid_lft forever preferred_lft forever
    inet 192.168.11.20/24 brd 192.168.11.255 scope global dynamic ens6
       valid_lft 6986sec preferred_lft 6986sec
    inet6 fe80::8261:5fff:fe0d:e05e/64 scope link 
       valid_lft forever preferred_lft forever
6: vif43.0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 32
    link/ether fe:ff:ff:ff:ff:ff brd ff:ff:ff:ff:ff:ff
    inet 10.137.0.22/32 scope global vif43.0
       valid_lft forever preferred_lft forever
    inet6 fe80::fcff:ffff:feff:ffff/64 scope link 
       valid_lft forever preferred_lft forever
7: vif45.0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 32
    link/ether fe:ff:ff:ff:ff:ff brd ff:ff:ff:ff:ff:ff
    inet 10.137.0.22/32 scope global vif45.0
       valid_lft forever preferred_lft forever
    inet6 fe80::fcff:ffff:feff:ffff/64 scope link 
       valid_lft forever preferred_lft forever

Also just in-case i checked that the ipv4 forwarding was enabled

user@net-10g-lan:~$ sudo sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1

The following is the ip a for the Firewall VM using the net VM

[user@sys-firewall-10g ~]$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:16:3e:5e:6c:00 brd ff:ff:ff:ff:ff:ff
    inet 10.137.0.34/32 brd 10.255.255.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::216:3eff:fe5e:6c00/64 scope link 
       valid_lft forever preferred_lft forever

Most resources i found regarding NetVM, is how to get X Hardware on the HCL list to work with the NetVM, however now that I got that working, I could not find resources on how to get it working on AppVM (its suppose to just work?)

Sven · December 6, 2021, 4:34pm

Have you set any firewall rules in the settings of your AppVM and/or sys-firewall?

PicoCreator · December 7, 2021, 1:55am

There are no firewall rules (its allow all). I have also tried bypassing the firewall, and connecting directly to the NetVM from the AppVM.

Would also like to add that this is not the only NetVM, i have 1 for my 10g networking, and another for wifi - and the AppVM / firewall has no issues with the wifi NetVM.

While i thought it could be hardware issue, the 10g NetVM is able to ping, curl just fine directly.

Sven · December 7, 2021, 2:53am

My only idea is to step by step query you about some things. It is supposed to “just work” if:

qubes-core-agent-networking is installed
the “provides_network” property is set

Can you confirm?

I noticed that your sys-firewall-10g doesn’t have a vif* interface. So I guess at least “provides_network” is not true?

PicoCreator · December 7, 2021, 4:10am

I reinstall the qubes-core-agent-networking, to help rule out version issues (it was previously installed)

Besides that, I can confirm that “provide_network” property is enabled for both NetVM and firewallVM.

The firewall does not have vif*, as I was trying to reduce the amount of variables in the issue, i switched off all AppVM. And was trying to do ping’s from the firewall VM to 8.8.8.8 - i do notice the vif* once the app VM is up.

Is there a way, I can debug the “just works” part between the NetVM and firewallVM ?