I’m trying to create a separate sys-net and sys-firewall to create a separate internet route for each Qube. For example, QubeA has dedicated internet routes sys-netA and sys-firewall A. I want to set QubeB to sys-net B, sys-firewall B, and so on.
Therefore, I tried to create a new sys-net and sys-firewall and connect to the Internet through them, but I couldn’t. I thought I had created a new sys-net and sys-firewall with reference to the default sys-net and sys-firewall, but it is written in the item on the upper right that there is no Internet communication, and you cannot choose WI-Fi in the first place. Also, the setting screen in sys-firewall says that NetQube cannot be used in firewall settings.
By the way, just like sys-net and sys-firewall, DVM also uses the default one as a reference and operates the newly created one in the same way. Also, I was told on this forum that there is only one Internet route that can be connected at the same time, so I haven’t started the default sys-net or sys-firewall.
In addition, while the default sys-net PHV mode is HVM, the newly created PHV mode is PVH. When I go to HVM, an error will appear, and a red screen will appear on the next Qubes startup asking me to log in. I don’t remember setting a password, so I can’t do anything more.
I would appreciate any advice on how to connect the Internet with the new sys-net and sys-firewall.
You can make any number of sys-firewall and connect it to sys-net but… sys-net grabs network devices for itself so if you don’t have more than 1 network device then you can’t have more than 1 sys-net.
I had heard that sys-net is like a virtual NIC, so I mistakenly assumed that I could create multiple sys-nets. I think sys-net didn’t work because I only had one physical network device.
You can create multiple system firewalls, but will creating a new system firewall improve security in an environment where you cannot create a new system net?
The purpose of sys-net is solely to move the handling of your networking card out of dom0. Thus, having multiple sys-nets does not make a lot of sense, if they are abou the same card.
However, there are some cases where more than one sys-net can result in an improved security: if you have, say, a “secure” local network where you are plugged in via ethernet, you could connect associated qubes to sys-ethernet (a second sys-net), while using something like sys-wifi for general browsing. In this case, you would effectively need multiple sys-firewall.
However, if you are using sys-whonix, or torifying your internet with another mean, then I think you should use multiple sys-firewalls in front of sys-whonix, otherwise, sys-whonix might not use a different tor circuit for each qube, and that could severely reduce your anonymity (please note that I’m not an expert on this topic, and maybe this is not true anymore).
In my case, there is only one Wi-Fi connection method, so I don’t think I need to create multiple sys-nets.
If I were to create a FedoraQube that doesn’t require whonix, I’d connect the existing sys-net with the new sys-firewall.
If I were to create a new whonixQube, I would like to connect the existing sys-net, the new sys-whonix, the new sys-firewall, and so on.