I did not manage to get sys-net openbsd working. Can someone help me saying what’s wrong here?
@omgsolucky I cant see your images.
It would be helpful if you could summarise what they show.
I assume that you have the OpenBSD system online, and can access the
internet from it.
How have you set forwarding on that sys-net? What do your firewall rules
look like on that system?
How did you configure the netvm of that system? What is the content of
the forward and custom-forward chains?
Yes i can access the internet @unman
My /etc/examples/pf.conf its exactly the one of the guide. I only use re0 instead of em0. My etc/resolv.conf cfg: nameserver 192.168.18.1 # resolvd: re0. Mirage-firewall netvm is none, sys-net-openbsd netvm is mirage-firewall & personal netvm is mirage-firewall. Advanced configurations of mirage-firewall: 32mb initial & 32mb max, 1 vcpu, kernel mirage-firewall, pvh mode & kernel opts --ipv4=10.137.0.31 --ipv4-gw=10.137.0.2. My mirage-firewall IP was just the first one. I was able to see this ip from mirage-firewall settings. However, this ip just dissapeared for now and don’t have informations of ip, dns, etc, of the mirage-firewall. Just blank space. And my OpenBSD IP is the same as ipv4-gw, so everything fine here, i guess.
When i try to open some website on my personal vm, which is my vm for test for this setup, the website enter in a loop loading and after a few minutos it give a error: Possible security risk looking up this domain. Firefox can't protect your request for this site's address through our secure DNS provider. Firefox wasn't able to connect to mozilla.cloudflare-dns.com. When i try to ping 4.4.4.4 in console of personal, seeing tcpdump -ni xnf0 logs inside OpenBSD, it shows 10.137.0.31 > 4.4.4.4: icmp: echo request. When i try to ping qubes-os.org, it shows 10.137.0.31.59172 > 10.139.1.1.53: 63771+ A? qubes-os.org.(30). And so much spam trying to connect to firefox’s dns. 10.137.0.31.7604 > 10.139.1.2.53: 49471+ AAAA? mozilla.cloudflare.com.(44)
Edit: I will manually copy all my configuration of /etc/examples/pf.conf so it will be better to you.
set skip on lo
match in proto { udp tcp } from xnf0:network to any port domain rdr-to 9.9.9.9 port domain
pass in proto { udp tcp } from xnf0:network to any port domain rdr-to 9.9.9.9 port domain
match out on re0 inet from xnf0:network to any nat-to re0
pass out on re0 inet from xnf0:network to any nat-to (re0)
block return
pass
block return in on ! lo0 proto tcp to port 6000:6010
block return out log proto {tcp udp} user _pbuild
As there are packets arriving in openbsd (and the src address is that of qubes-mirage-fw), everything seems to be fine in all the other qubes.
Can you check whether packets are coming out of your openbsd vm (e.g., tcpdump on your re0 interface should show the icmp requests packets to 4.4.4.4, as well as the replies and also your DNS requests to 9.9.9.9).
Ok, so I use sys-net (openbsd) + mirage-firewall for all networking qubes and it works.
But problem is that when my windows-11 hvm is using mirage firewall, if I shut down it, mirage-firewall always gets shut down.
When Windows is networked through this all other VM fails to start.
My system has 64 GB RAM out of tat windows use 8GB, mirage using 64MB & sys-net of openbsd uses 400MB.
Yes I also managed to reproduce that, thank you for reporting. The issue rises when the windows VM disconnects its virtual interface. I currently have no workaround and I’ll try to fix that for next release.
These are my logs from tcpdump -ni re0. They help in something? I cannot understand nothing from this dump
I struggle with them too because the packets that are going out of your BSD VM are not related to your ping (i.e., no ICMP from 192.168.18.109 to 4.4.4.4 if 192…109 is your computer IP address).
To me the issue is probably in the NAT configuration inside BSD but I don’t see it.
Exactly. I don’t have idea of what’s happening. But maybe i can say that i skipped the step “Enter the DNS nameservers listed in the ‘Qube Manager.”, since the bsd install didn’t asked me to put dns nameservers.
Maybe the problem is here. It’s the only thing that i didn’t followed in the guide.