Default IP ranges for sys-firewall, AppVMs, etc

Hi everyone :wave:

When glancing through the Qube Manager, I see most IP addresses start by, and a few start by

The Networking section of the docs provides a few (similar) examples, but doesn’t reference the IP ranges that are used by default in Qubes OS.

Does anyone know where can I find reference documentation about the default IP ranges that are used for different purposes?

AFAIK those are hard coded IP ranges. And you can find them in the ‘source code’ (and as a result in the .xml config files of your VMs)
as you noticed, the documentation not even mentioning this.

But most of the users are not even care - till they have an IP collision :wink:


Thanks for the pointer @Zrubi!

I think I found where the IP addresses that I see some from :slightly_smiling_face:
For future reference: a NetVMMixin is defined in qubes-core-admin. That module defines two methods: get_ip_for_vm and get_ip6_for_vm (source).

The first method builds IPv4 addresses in the following ranges:

  • (for DispVMs)
  • (otherwise)

Just in case anyone wonders, the ranges in IPv6 are defined by the second method as follows:

  • yyy::a8a:xxxx (for DispVMs)
  • yyy::a89:xxxx (otherwise)

In those patterns, yyy is a “Qubes-specific site-local prefix” and xxxx is an hexadecimal representation of the you got in IPv4. (Note that a8a and a89 are the hexadecimal representations of 10.138 and 10.137 respectively, so you get a “matching” IPv4 and IPv6 for any given VM.)


Have not reviewed source in-depth, but my quick observations on IPs used:

  • 10.137.x.y = typical qube IP address
  • 10.138.x.y = disposable qubes
  • = sys-whonix performs DNAT for downstream qubes to access tor over designated ports
  •, = all ProxyVMs and NetVMs perform DNAT for downstream qubes for DNS access
1 Like

Great addition @icequbes1, thank you!

I’ll see if I can find the source of those ranges to add them to the list. (If you find them first, or anyone knows where to find them, please chime in! When we’ve got the sources I’ll edit the post above with credits :slightly_smiling_face:)

Just following up, the IPs for DNS use are defined in the same file mentioned earlier as those for DispVMs and others. :+1: (Those are not really IPs that will get assigned to any qube you create, but I agree that they’re worth noticing nonetheless.)

I couldn’t find any reference to 10.152... in the code.

Yes, it would be somewhere in the whonix code base. Whonix workstation uses 10.152.a.b addresses as proxies while Whonix gateway performs Destination NAT to redirect these IP addresses to specific tor ports. I have not referenced the code; it is just an observation.