How to tell sys-whonix which network connection to use?

Hi,

Recently, I started using 2 network connections simultaneously: one Wi-Fi and one Ethernet. I need that for some network troubleshooting. Previously, I used only one Ethernet network connection.

I notice that when I am connected to either of the two (the other one being disconnected), sys-whonix works fine. However, when both are connected, using the “Restart Tor” (qvm-run -q -a --service -- sys-whonix qubes.StartApp+gateway-reloadtor) freezes at 5% and unless I disconnect one of the two, it remains this way and I am unable to use all that Whonix provides.

What is the way to tell sys-whonix which network connection to prefer/prioritize?

Hello,

are your two network interface connected to the same network, or two different network?

For troubleshoot, do you need to have a default route for both interface to reach the internet, or is it for LAN troubleshoot?

are your two network interface connected to the same network, or two different network?

Same Internet provider, different IP addresses (not fixed), different (unrelated) client accounts. The cell tower is the same.

WiFi: connects via a USB WiFi dongle to a mobile phone (working as a hotspot).
Ethernet: connects to a LAN router, which itself connects to another LTE router.

For troubleshoot, do you need to have a default route for both interface to reach the internet, or is it for LAN troubleshoot?

I don’t know. I am not a network expert.

it’s two different networks

when you mentioned troubleshooting, I thought it was because you were analysing the network :wink:

can you run ip route in sys-net and share the output? It might leak some IPs, not sure if it’s an issue for you? If so, the least I need to know is if the lines starting with “default” have the same metric number at the end of the line.

it’s two different networks

I suppose it depends on how you define a network. From IP viewpoint both the local network addresses and the Internet ones are in the same IPv4 CIDR block. So, I am not really sure what the right answer is.

when you mentioned troubleshooting, I thought it was because you were analysing the network :wink:

That still doesn’t make me an expert :slight_smile:

can you run ip route in sys-net and share the output? It might leak some IPs, not sure if it’s an issue for you? If so, the least I need to know is if the lines starting with “default” have the same metric number at the end of the line.

default via 192.168.xx.1 dev <ethernet interface> proto static metric 100 
default via 192.168.yy.1 dev <wireless interface> proto dhcp src 192.168.yy.zz metric 600

Sorry, they are two different local network, they have different routers / gateways.

I thought it might be the two routes having the same metric, in such case there would be a round-robin where packets would leave a random interface each time to distribute the load, creating issues with TCP sessions. But it is not the case.

By default, and it is what you observed in the command output, Ethernet interfaces takes priority over WiFi interfaces. Basically, there should be no traffic going out your WiFi interface when both are connected, so this should not affect Tor use.

I don’t understand why you have the issue, it does not make sense. Debugging this could be really complicated :confused:

This should be done in sys-net with a routing rule based on the source address of whonix qube, this is not straightforward :frowning: I wrote how to proceed with an user ID and not a source IP, and not on Qubes OS

You could try to adapt if you want. I may give a try if I can figure some time in the week.

Based on the information you’ve given in some of your posts, is there any specific reason why you don’t create a separate qube similar to sys-net for your wifi dongle? It will be isolated from your ethernet requests, and you can attach sys-whonix wherever you want and be sure it goes to the right network.

I don’t understand why you have the issue, it does not make sense.

It is because the Ethernet router is not connecting properly to the Internet (what I am troubleshooting) and when Ethernet is prioritized, as you explained, there is no Internet at all (no Tor connection either).

I just thought there may be a convenient way to say “I want to prioritize WiFi” but it doesn’t seem so. I looked at /usr/lib/qubes/setup-ip but I still couldn’t figure why and how Ethernet is prioritized. Maybe it is another script that handles this.

Based on the information you’ve given in some of your posts, is there any specific reason why you don’t create a separate app qube similar to sys-net for your wifi dongle? It will be isolated from your ethernet requests, and you can attach sys-whonix wherever you want and be sure it goes to the right network.

That is a possible workaround. The goal was not to need it though.

Anyway, I have temporarily fixed the network trouble, so I currently don’t need the WiFi network. It would still be interesting to know how to handle prioritization though.

Sorry, but that is not how the Linux kernel works - you CANNOT add two routes with the same metric (you get a “RTNETLINK answers: File exists”). This applies to any kind of route, default or not.
You can have a multipath route though, which have weights and can do round-robin, but the syntax is different and it is not used at all under QubeOS.

1 Like

thanks! I thought this was achievable through metrics

ah, so when you connect both WiFi and Ethernet, the Ethernet has no Internet access? This makes sense now. Changing the metric of the route to use WiFi can be an option.

It is network manager which handles this, it’s not Qubes OS related.

1 Like

ah, so when you connect both WiFi and Ethernet, the Ethernet has no Internet access?

No.

The WiFi router has Internet access.

The Ethernet router has no Internet access regardless of Qubes OS being connected to that router.

Connecting Qubes to the WiFi router => Qubes has Internet access.
Connecting Qubes to the Ethernet router => Qubes has no Internet access.
Connecting Qubes to both routers => Qubes has no Internet access.

IOW, the lack of Internet access of the Ethernet router simply propagates to Qubes OS because, that connection takes priority.

This makes sense now. Changing the metric of the route to use WiFi can be an option.

It is network manager which handles this, it’s not Qubes OS related.

How do you do this?

ok, this is what I meant

you can try the various solutions, first try with ip route https://www.baeldung.com/linux/change-network-routing-metric

Thanks. I will have a look.