The Qubes project is perfect for isolating and segmenting the various confidentiality levels of a single computer.
We’re using it in my team to provide us this level of isolation between the domains.
However, this only stays inside the machine. Network-wise, all the traffic from all the Qubes is NATted. As such, there is no possibility to identify, on the LAN, which traffic is coming from which AppVM.
Currently we have an infrastructure where we want to restrict some parts to be accessed only from certain Qubes. Setting up VPNs in the LAN seems overkill at this stage.
A potential solution I foresee is setting up VLANs on the sys-net, that tags traffic coming from domU.
Has anyone already thought about this ? I’d like to get guidance, I’m sure I’m not the only one having this thought
It might be better to use IPv6 in qubes and your LAN network, so you could identify each qubes with their own IPv6 address.
Using VLANs sounds fragile as Qubes OS is not meant to use them, if an update break a working setup you would have little clues about it. A VPN is much more bullet proof here, although it can be cumbersome if you have many qubes… Tailscale / headscale could help here maybe.
That approach is very opportunistic.
You know that VLAN is happening on L2, right?
You know that everything in a TCP header can bee changed on the way, right?
And your last VM is a non-trusted netvm… can change it all. - that’s how - and why - NAT is working too
It’s not me that need VLANs.
Each VM is a sepearate machine with separate NIC so you need to configure VLAN on each of them and point it to parent machine with VLAN. You can’t point VALN in appvm to router because appvm have no connection to it.
If you have config that works without such VLAN chain then quide op instead complaining.
Thanks for the IPv6 suggestion, hadn’t thought about it.
At this stage I’m not proficient enough in IPv6 (or Qubes) so set it up.
In this IPv6 LAN network, multiple qubes machines would be present (team infra). I assume that the same qube on the every machine would have the same IPv6, right ? The same way all the qubes in every machine share the same 10.137.0.0/24. This would be an issue, no ?
