I can’t connect to internet in sys-firewall, only in sys-net. Firefox and the ping test through command line only work in the latter. sys-firewall is configured to connect to sys-net, so what am I doing wrong?
What Qubes OS version do you have?
Do you have any firewall rules in sys-firewall qube Settings?
What template are sys-net and sys-firewall based on?
Is it a newly installed system?
Did you upgrade from Qubes OS 4.1 to Qubes OS 4.2 in-place?
1 Like
I have 4.2 (I just installed from scratch, I’m a new user). I don’t have any firewall rule in sys-firewall (it says “allow all outgoing connection”). The template is default-dvm for both. Thanks for the quick answer.
What template is default-dvm based on?
1 Like
Fedora-38-xfce
Can you ping sys-net vif* interface IP from sys-firewall?
Can you ping sys-net LAN interface IP (from your attached network controller interface) from sys-firewall?
1 Like
How do I do that? 
In sys-net terminal run this command:
ip a
Your interfaces IP addresses will be in the “inet X.X.X.X/Y” line, where X.X.X.X - is interface IP.
Then ping this IP address from sys-firewall.
It’s working. I have let the ping go for a while and then tried to open firefox and it worked. Thanks.
EDIT: I restarted the PC and forefox doesn’t work anymore. Also I have tried to do again this “pinging method” but it doesn’t work anymore.
Can you try pinging 9.9.9.9 from sys-net and sys-firewall?
ping 9.9.9.9
It works in both.
And what if you ping the domain in both?
ping quad9.com
It only works in sys-net.
In sys-firewall it can’t connect.
Seems to be a problem with DNS.
What’s the output of this command in sys-firewall?
cat /etc/resolv.conf
What’s the output of this command in sys-net?
sudo nft list ruleset
The first output is:
nameserver 10.139.1.1
nameserver 10.139.1.2
The second output is:
table ip qubes {
set downstream {
type ipv4_addr
elements = { 10.138.12.65 }
}
set allowed {
type ifname . ipv4_addr
elements = { "vif5.0" . 10.138.12.65 }
}
chain prerouting {
type filter hook prerouting priority raw; policy accept;
iifgroup 2 goto antispoof
ip saddr @downstream counter packets 0 bytes 0 drop
}
chain antispoof {
iifname . ip saddr @allowed accept
counter packets 0 bytes 0 drop
}
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
oifgroup 2 accept
oif "lo" accept
masquerade
}
chain input {
type filter hook input priority filter; policy drop;
jump custom-input
ct state invalid counter packets 0 bytes 0 drop
iifgroup 2 udp dport 68 counter packets 0 bytes 0 drop
ct state established,related accept
iifgroup 2 meta l4proto icmp accept
iif "lo" accept
iifgroup 2 counter packets 0 bytes 0 reject with icmp host-prohibited
counter packets 15 bytes 1652
}
chain forward {
type filter hook forward priority filter; policy accept;
jump custom-forward
ct state invalid counter packets 0 bytes 0 drop
ct state established,related accept
oifgroup 2 counter packets 0 bytes 0 drop
}
chain custom-input {
}
chain custom-forward {
}
chain dnat-dns {
type nat hook prerouting priority dstnat; policy accept;
}
}
table ip6 qubes {
set downstream {
type ipv6_addr
}
set allowed {
type ifname . ipv6_addr
}
chain antispoof {
iifname . ip6 saddr @allowed accept
counter packets 13 bytes 824 drop
}
chain prerouting {
type filter hook prerouting priority raw; policy accept;
iifgroup 2 goto antispoof
ip6 saddr @downstream counter packets 0 bytes 0 drop
}
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
oifgroup 2 accept
oif "lo" accept
masquerade
}
chain _icmpv6 {
meta l4proto != ipv6-icmp counter packets 0 bytes 0 reject with icmpv6 admin-prohibited
icmpv6 type { nd-router-advert, nd-redirect } counter packets 0 bytes 0 drop
accept
}
chain input {
type filter hook input priority filter; policy drop;
jump custom-input
ct state invalid counter packets 0 bytes 0 drop
ct state established,related accept
iifgroup 2 goto _icmpv6
iif "lo" accept
ip6 saddr fe80::/64 ip6 daddr fe80::/64 udp dport 546 accept
meta l4proto ipv6-icmp accept
counter packets 0 bytes 0
}
chain forward {
type filter hook forward priority filter; policy accept;
jump custom-forward
ct state invalid counter packets 0 bytes 0 drop
ct state established,related accept
oifgroup 2 counter packets 0 bytes 0 drop
}
chain custom-input {
}
chain custom-forward {
}
}
table ip qubes-firewall {
chain forward {
type filter hook forward priority filter; policy drop;
ct state established,related accept
iifname != “vif*” accept
ip saddr 10.138.12.65 jump qbs-10-138-12-65
}
chain prerouting {
type filter hook prerouting priority raw; policy accept;
iifname != "vif*" ip saddr 10.138.12.65 drop
}
chain postrouting {
type filter hook postrouting priority raw; policy accept;
oifname != "vif*" ip daddr 10.138.12.65 drop
}
chain qbs-10-138-12-65 {
accept
reject with icmp admin-prohibited
}
}
table ip6 qubes-firewall {
chain forward {
type filter hook forward priority filter; policy drop;
ct state established,related accept
iifname != “vif*” accept
}
chain prerouting {
type filter hook prerouting priority raw; policy accept;
}
chain postrouting {
type filter hook postrouting priority raw; policy accept;
}
}
table inet qubes-nat-accel {
flowtable qubes-accel {
hook ingress priority filter
devices = { ens7, lo, vif5.0, wls6 }
}
chain qubes-accel {
type filter hook forward priority filter + 5; policy accept;
meta l4proto { tcp, udp } iifgroup 2 oifgroup 1 flow add @qubes-accel
counter packets 75800 bytes 132293972
}
}
For some reason the redirects from Qubes OS virtual DNS servers 10.139.1.1/10.139.1.2 to your real DNS server in sys-net is not there.
It should’ve been something like this:
chain dnat-dns {
type nat hook prerouting priority dstnat; policy accept;
ip daddr 10.139.1.1 udp dport 53 dnat to 192.168.2.1
ip daddr 10.139.1.1 tcp dport 53 dnat to 192.168.2.1
}
The missing rules is the reason why DNS is not working in qubes connected to sys-net.
Did you configure your DNS server in sys-net network config?
What’s the output of this command in sys-net?
cat /etc/resolv.conf
Try to ping some domain from sys-net e.g.:
ping quad9.com
The first command gives me:
- my Isp name
- nameserver 192.168.1.1
- nameserver (ipv6 address)
The second commands pings correctly.
Also, I think I have missed the DNS configuration you are talking about. How do I do that?
If that can be helpful, during installation I have made sys-firewall disposable, but not sys-net, so I could save the Wi-Fi password.
Your network settings (and DNS specifically) seems to be configured automatically with DHCP.
But for some reason the firewall DNS rules are not configured.
What’s the output of this command in sys-net?
cat /var/run/qubes/qubes-ns
And what’s the output of this command in sys-net?
sudo journalctl -b -u qubes-network.service
The first command gives:
NS1=10.139.1.1
NS2=10.139.1.2
The second command gives:
Dec 23 10:02:39 sys-net systemd[1]: Starting qubes-network.service - Qubes netw>
Dec 23 10:02:39 sys-net network-proxy-setup.sh[580]: Failed to read /qubes-netv>
Dec 23 10:02:39 sys-net systemd[1]: Finished qubes-network.service - Qubes netw>
lines 1-3/3 (END)…skipping…
Dec 23 10:02:39 sys-net systemd[1]: Starting qubes-network.service - Qubes network forwarding setup…
Dec 23 10:02:39 sys-net network-proxy-setup.sh[580]: Failed to read /qubes-netvm-gateway6
Dec 23 10:02:39 sys-net systemd[1]: Finished qubes-network.service - Qubes network forwarding setup.
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
lines 1-3/3 (END)
Dec 23 10:02:39 sys-net systemd[1]: Starting qubes-network.service - Qubes netw>
Dec 23 10:02:39 sys-net network-proxy-setup.sh[580]: Failed to read /qubes-netv>
Dec 23 10:02:39 sys-net systemd[1]: Finished qubes-network.service - Qubes netw>
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
ESCOC
ting qubes-network.service - Qubes network forwarding setup…
tup.sh[580]: Failed to read /qubes-netvm-gateway6
shed qubes-network.service - Qubes network forwarding setup.
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
ESCOD
Dec 23 10:02:39 sys-net systemd[1]: Starting qubes-network.service - Qubes netw>
Dec 23 10:02:39 sys-net network-proxy-setup.sh[580]: Failed to read /qubes-netv>
Dec 23 10:02:39 sys-net systemd[1]: Finished qubes-network.service - Qubes netw>
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
ESCOD
Dec 23 10:02:39 sys-net systemd[1]: Starting qubes-network.service - Qubes netw>
Dec 23 10:02:39 sys-net network-proxy-setup.sh[580]: Failed to read /qubes-netv>
Dec 23 10:02:39 sys-net systemd[1]: Finished qubes-network.service - Qubes netw>
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
ESCOC
ting qubes-network.service - Qubes network forwarding setup…
tup.sh[580]: Failed to read /qubes-netvm-gateway6
shed qubes-network.service - Qubes network forwarding setup.
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
ESCOD
Dec 23 10:02:39 sys-net systemd[1]: Starting qubes-network.service - Qubes netw>
Dec 23 10:02:39 sys-net network-proxy-setup.sh[580]: Failed to read /qubes-netv>
Dec 23 10:02:39 sys-net systemd[1]: Finished qubes-network.service - Qubes netw>
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
lines 1-3/3 (END)
Dec 23 10:02:39 sys-net systemd[1]: Starting qubes-network.service - Qubes network forwarding setup…
Dec 23 10:02:39 sys-net network-proxy-setup.sh[580]: Failed to read /qubes-netvm-gateway6
Dec 23 10:02:39 sys-net systemd[1]: Finished qubes-network.service - Qubes network forwarding setup.
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
Run this command in sys-net:
sudo /usr/lib/qubes/qubes-setup-dnat-to-ns
And post the output of this command:
sudo nft list chain ip qubes dnat-dns
And check if DNS will work in qubes connected to sys-net.