“A bit more advanced networking setup. The usbvm has a 3G modem assigned, and it is possible to dynamically switch between the Net VMs without restarting any other VMs.”
How to configure the “firewall” (see the added link to the image) to :
have access to two or more NetVMs in the same time ?, or
dynamically, without a restart, to switch between (among) NetVMs ?
Actually, if you use sys-net → sys-net-gsm → sys-firewall, you can use sys-net-gsm to use either its own dedicated network interface and disable eth0 (communicating with sys-net), or enable eth0 and desactive sys-net-gsm interface
I have a similar setup to use VPNs that doesn’t pass all the traffic, they are used before any other netvm so if they can route the traffic to their vpn, it goes there otherwise it’s passed to the next netvm, here you could can the same with physical interfaces
and you would like to use only one vpn- provider to go trough (I am convinced, this is a terrible idea in terms of privacy, anonymity, etc., but I am interested in the possible technical implementation of it).
So, at the end of the day, you should be able to use any one of these channels from any vhost without switching, changing, etc. of the interfaces of the sys-vpn itself …
anything after sys-firewall could be in random order, but for performance reasons it’s better to have the most used or fastest near sys-firewall to avoid switching packets between lots of qubes.
First “working” sys-net (offering a default route) will provide internet to the vpn qube
if you have a proper killswitch on sys-vpn, you are assured that your traffic will go through the vpn for all the qubes behind it, whatever the net-vm used upstream
How practically to implement it ?
From GUI, if you access the Settings of sys-vpn qube you have option to add only one Net Qube to it.
How can you add more,different Net Qubes to the same Qube ?
It does, but only with one netvm. You can’t attach multiple netvms to a single qube. Qubes route everything to the gateway by default. With a multiple netvm setup, you would have a more complicated setup, and the 0.0.0.0 route wouldn’t be possible. Since everything is created with a custom script, it would be very hard to get everything to work as you described in your network diagram.
OT/
Before posting images on the forum, please kindly consider this.
/OT
Here is an older discussion (from 2017), in which @unman suggests a way to attach NICs to a VM. You can check /etc/xen/scripts/vif* for current existing scripts.
Once you have a second NIC for uplink connection, you will need some form of routing. Setting up a load balancer is non-Qubes-specific and I can’t help you with that.
Having in mind the above- mentioned restrictions, I see at least two ways to resolve :
Using separate sys-firewalls, and vpn-dvms (logged with different accounts):
work → sys-firewall-enterprise-wifi → enterprise-vpn-dvm → sys-wifi,
untrusted → sys-firewall-private-wifi → private-vpn-dvm → sys-wifi, etc.
as Everyone had suggested above. I have just impelmented it, and it is working as expected, and
Using an Open Source Software Firewall Appliance (OPNSense, e.g.) as HVM where you can have many interfaces, routing, nat, etc., and could implement as many VPN- providers as needed.
work → sys-firewall-enterprise-wifi → opnsense (hvm) → interface=enterprise-vpn → sys-wifi,
work → sys-firewall-private-wifi → opnsense (hvm) → interface=private-vpn → sys-wifi
I am in process of implementing it. Will let you know back when done.
Best,
