Different external IPs addresses through one ethernet port

General Discussion
,
1

Hello everyone, I’m currently trying to implement Qubes OS for a corporate environment.
I would like to know if I can make it so, my machine have at the same time one secure IP adress ( secure/admin ) and an other ( general use) and both of them passing through the same eth0 port. I want this so the server that make some IP filtering only allow action from certain VMs

I’ve tried by connecting two sys-net to eth0 port but that’s blocked by the system.

Can I make it so on one sys-net, communication is forwarded with the IP address of 2 different firewalls.

The goal is that communication forwarded with admin IP would be allowed to access some servers through VPN and IP authentication and other won’t.

  1. My current idea/wish is to do something like this:

|special rights VMs | --| firewall |–|Vpn |–|firewall 2 |_ .,.,…,._| firewall 3 |—|regular VMs |
.,.,…,.,…,.,…,.,…,.,…,.,…,.,…,.,…,.,…,.,…,.,…,.,. |.,.,. |
…,.,…,.,…,.,…,.,…,.,…,.,…,.,…,.,…,.,…,.,…,.,. | sys-net |
,.,.,…,.,…,.,…,.,…,.,…,.,…,.,…,.,…,.,…,.,…,.,…,.,. |.,.,.|
.,.,.,…,.,…,.,…,.,…,.,…,.,…,.,…,.,…,.,…,.,…,.,…,. ip1.,ip2

  1. Is the only solution to connect regular ones to a sys-net 2 and connect it via wifi or usb connection ?

  2. Is it sufficient to block access from regular VMs to admin servers via the firewall.

thanks for your attention.

1 Like
2

You can also consider qrexec to connect the local port in VPN qube to remote VPN server port in sys-net qube and then route connection to your VPN server through ip1 in sys-net:

Or configure it manually using qrexec and socat instead of qubes.ConnectTCP.
You can set VPN netvm to none.

3

Configure VPN in VPN qube to connect tot 127.0.0.1:12345.
Listen for VPN connection in VPN qube:

socat TCP-LISTEN:12345,fork,bind=127.0.0.1 EXEC:"qrexec-client-vm sys-net user.adminvpn"

In sys-net forward connection from qrexec to VPN server 10.1.2.3 and VPN port 12345:

socat STDIO TCP:10.1.2.3:12345

Here is an example:

But it’s using old qrexec format so you need to change it to the new one. Like this for example:

4

Before we launch in to details it would be helpful if you could say what
version of Qubes you are using. We also want to avoid X/Y problems, and
I find it quite difficult to “get” your diagram, so it would help if you
could explain what this means - “the server that make some IP filtering
only allow action from certain VMs”. What server? Some qube or something
external? Why do you want to have two IP addresses?

I never presume to speak for the Qubes team. When I comment in the Forum I speak for myself.