I ran into an niche use case for my Qubes setup, didn’t readily find any threads discussing my particular issue. Now that Ive resolved it, I can document the process for public memory
Background: I maintain a handful of IoT devices on a secondary VLAN, isolated from the main network on which my computer & other trusted devices operate. I strictly limit the WLAN internet connections that can be made from this VLAN via router firewall. I have two network interfaces: a USB WiFi adapter, and an ethernet adapter
Problem:
- I need to interface with these IoT devices over WiFi, for updates & day-to-day operation.
- I must maintain access to WLAN internet from Qubes through my primary network over ethernet, while simultaneously connecting to IoT devices over the VLAN with WiFi
- I should be able to quickly boot up a program & interface with any particular IoT device
- At rest, my desktop should not establish or maintain a connection to the VLAN
Solution
- Create a qube, from which you will run whatever programs you will need. I have one or two rather complex programs requiring persistent home & root, so I opted for a standalonevm. But a simpler setup could use a disposable or appvm. I named mine ‘iot’
- Clone sys-firewall. I renamed my clone ‘sys-firewall-iot’. Under ‘iot’ settings, change the network vm to this new qube
- Clone sys-net. I renamed my clone ‘sys-net-iot’. Under ‘sys-firewall-iot’ settings, change the network vm to this new qube. You will also need to remove the default network adapter from Devices, or you will encounter an error as the qube attempts to attach a device already belonging to sys-net
- Start the ‘iot’ qube. If you configured the prior steps properly, sys-firewall-iot and sys-net-iot should also start
- You’ll now need to attach your secondary network adapter to the new sys-net-iot qube, and set this to happen automatically upon qube boot. If it’s a USB adapter like mine, this should be easily accessible through the sys-usb icon on your primary display’s panel tray
- Kill all three qubes (iot, sys-firewall-iot, sys-net-iot)
- Optional: use qube firewall to limit network connections through this new interface. I have a small number of IPs, and will only be using SSH & SFTP, so I limited connections to only these protocols from the iot qube
- Restart iot. Once again, sys-firewall-iot and sys-net-iot should start
- Under your panel tray, you should see a new network manager icon. So long as your system has the necessary drivers to run this network controller, it should populate with network options. If using WiFi, select your network & save credentials
- Optional: I did not want the IoT network config to run by default, so I disabled start on boot across all three qubes
End Result: by default, my system only connects to my main network via ethernet adapter through sys-net. But when I need to work on my IoT devices, I can launch the IoT cube: sys-net-iot automatically connects to my IoT VLAN, and I can begin work immediately. I maintain connection to my main network throughout, allowing me to assess other sites or cloud services if needed. When finished, I manually kill the three IoT cubes to disconnect from the network
Limitations: A given network adapter cannot simultaneously be assigned to two qubes. In this example, I maintain primary internet access through an ethernet adapter on sys-net, and IoT WiFi connection through a separate USB dongle on sys-net-IoT. You will be unable to configure this with a single physical network interface. USB Wifi dongles can be picked up from your local retailer for pretty cheap
Or did I miss something?
I want to know how other users approach and overcome situations I’m likely to encounter.