Thanks so much for responding! I’ve read a lot of your posts.
I couldn’t change the settings on the router itself because I can’t find a way to access it. I have only accessed it through its web interface LuCI before, haven’t tried SSH, but I assume since I can’t access the web interface now (from sys-net itself and from qubes who get their connection from sys-net), I won’t be able to access any interface.
So that now has 192.168.2.1 and netmask of 255.255.255.0
The effect of the netmask is to restrict access to anything with this address: 192.168.2.X
I understand that - all 192.168.2.X addresses will be related to this router only and other addresses like 192.168.3.X will be available for other use, unrelated to that router.
You wouldn’t expect the route to any external machine to appear in the qubes, because they don’t care. All that matters is that they know what the default gateway is. So don’t worry about that.
By “the route to any external machine” do you mean that for a qube using sys-net as a NetVM (let’s call it qube P) the fact that sys-net is communicating with two routers will be unavailable? Just like I don’t know how many routers a router in my ISP is connected to and only care about the gateway, i.e. the point that’s between my network and my ISPs (or qube P’s network and sys-net’s)? These may be dumb questions, but I never had to deal with networks too much so I may be missing basic things most people assume are common knowledge.
Here are the outputs of ip addr
and ip route
:
[user@sys-net ~]$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens6: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 70:85:c2:83:c8:35 brd ff:ff:ff:ff:ff:ff
3: ens7: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 70:85:c2:83:c8:33 brd ff:ff:ff:ff:ff:ff
inet 192.168.2.1/24 brd 192.168.2.255 scope global ens7
valid_lft forever preferred_lft forever
4: ens9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 70:85:c2:83:c8:37 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.195/24 brd 192.168.1.255 scope global dynamic noprefixroute ens9
valid_lft 25330sec preferred_lft 25330sec
inet6 fe80::718b:efab:1d65:6a4d/64 scope link noprefixroute
valid_lft forever preferred_lft forever
5: wls8: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
link/ether 8e:90:65:ec:e8:e9 brd ff:ff:ff:ff:ff:ff
6: vif5.0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 32
link/ether fe:ff:ff:ff:ff:ff brd ff:ff:ff:ff:ff:ff
inet 10.137.0.5/32 scope global vif5.0
valid_lft forever preferred_lft forever
inet6 fe80::fcff:ffff:feff:ffff/64 scope link
q valid_lft forever preferred_lft forever
[user@sys-net ~]$ ip route
default via 192.168.1.1 dev ens9 proto dhcp metric 100
10.137.0.6 dev vif5.0 scope link metric 32747
192.168.1.0/24 dev ens9 proto kernel scope link src 192.168.1.195 metric 100
192.168.2.0/24 dev ens7 proto kernel scope link src 192.168.2.1
[user@sys-net ~]$ ip -d addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 promiscuity 0 minmtu 0 maxmtu 0 numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens6: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 70:85:c2:83:c8:35 brd ff:ff:ff:ff:ff:ff promiscuity 0 minmtu 68 maxmtu 16334 numtxqueues 8 numrxqueues 8 gso_max_size 65536 gso_max_segs 65535
3: ens7: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 70:85:c2:83:c8:33 brd ff:ff:ff:ff:ff:ff promiscuity 0 minmtu 68 maxmtu 9000 numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535
inet 192.168.2.1/24 brd 192.168.2.255 scope global ens7
valid_lft forever preferred_lft forever
4: ens9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 70:85:c2:83:c8:37 brd ff:ff:ff:ff:ff:ff promiscuity 0 minmtu 68 maxmtu 9216 numtxqueues 8 numrxqueues 8 gso_max_size 65536 gso_max_segs 65535
inet 192.168.1.195/24 brd 192.168.1.255 scope global dynamic noprefixroute ens9
valid_lft 25297sec preferred_lft 25297sec
inet6 fe80::718b:efab:1d65:6a4d/64 scope link noprefixroute
valid_lft forever preferred_lft forever
5: wls8: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
link/ether 8e:90:65:ec:e8:e9 brd ff:ff:ff:ff:ff:ff promiscuity 0 minmtu 256 maxmtu 2304 numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535
6: vif5.0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 32
link/ether fe:ff:ff:ff:ff:ff brd ff:ff:ff:ff:ff:ff promiscuity 0 minmtu 68 maxmtu 65517 numtxqueues 2 numrxqueues 2 gso_max_size 65536 gso_max_segs 65535
inet 10.137.0.5/32 scope global vif5.0
valid_lft forever preferred_lft forever
inet6 fe80::fcff:ffff:feff:ffff/64 scope link
valid_lft forever preferred_lft forever
[user@sys-net ~]$ ip -d route
unicast default via 192.168.1.1 dev ens9 proto dhcp scope global metric 100
unicast 10.137.0.6 dev vif5.0 proto boot scope link metric 32747
unicast 192.168.1.0/24 dev ens9 proto kernel scope link src 192.168.1.195 metric 100
unicast 192.168.2.0/24 dev ens7 proto kernel scope link src 192.168.2.1
I pasted the -d
version too, just in case it’s helpful.
ens7 is router A (the one with the IP camera). ens9 is router B (the router I use to access the internet).
I’m not sure I fully understand how qube P will distinguish connections to router A and router B. Does sys-net being a middle man (or woman or unman ) between the routers and qube P count as a NAT? Is each such NetVM (sys-firewall, sys-whonix) a NAT of its own? Or did I get the terminology completely wrong?
Thanks again for taking the time to respond to a newbie question.