Internet Routing Issues

Hello,
for a while now I have problems connecting qubes to the internet.
The internet works fine in sys-net and sys-firewall. I checked this via ping 8.8.8.8 and ping www.google.de.

When I connect any qube to sys-firewall, I don’t have internet access.
However my VPN-gateway which is derived from (GitHub - QubesOS-contrib/qubes-tunnel: Integration of vpn tunnels for Qubes OS) connects and when I route the traffic like sys-net->sys-firewall->vpn-gateway->personal then I can connect to the internet. But it seems to be very slow which happens rarely for this vpn provider.

I’ve had this issue previously and was able to fix it wih
this (No DNS in inheriting VMs after enabling fedora-35 template's fedora-updates-testing repo and updating · Issue #7429 · QubesOS/qubes-issues · GitHub).
But now the same issue occurs and I don’t know what to do.

I appreciate any help!
Let me know if you need some logs or other further information.

Regards

With this setup:
sys-net->sys-firewall->personal
If you ping 8.8.8.8 or ping www.google.de in personal qube terminal then neither will work?
What if you ping in personal qube your VPN server from sys-gateway VPN config instead?
Do you have the same template for your sys-* qubes and personal qube?
Did you change any firewall rules?

What template are you using for sys-net and sys-firewall ?
If you’re using fedora, you could consider trying debian to see if it’s a template-related issue.

Also what does /etc/resolv.conf look like for sys-net and sys-firewall? If it contains ISP IPs, please do NOT include them here.

With this setup:
sys-net->sys-firewall->personal
If you ping 8.8.8.8 or ping www.google.de in personal qube terminal then neither will > work?

No, both did not work.

What if you ping in personal qube your VPN server from sys-gateway VPN config instead?

In the vpn-config I have some ips

remote 185.159.157.77 443
remote 185.159.157.127 80
remote 185.159.157.102 80
remote 185.159.157.77 5060
remote 185.159.157.102 5060
remote 185.159.157.134 1194
remote 185.159.157.127 4569
remote 185.159.157.102 4569
remote 185.159.157.102 1194
remote 185.159.157.127 1194
remote 185.159.157.127 5060
remote 185.159.157.102 443
remote 185.159.157.134 80
remote 185.159.157.77 1194
remote 185.159.157.94 443
remote 185.159.157.134 5060
remote 185.159.157.77 4569
remote 185.159.157.94 80
remote 185.159.157.94 5060
remote 185.159.157.134 443
remote 185.159.157.94 4569
remote 185.159.157.94 1194
remote 185.159.157.127 443
remote 185.159.157.134 4569
remote 185.159.157.77 80

I did not try all but none worked so far.

Do you have the same template for your sys-* qubes and personal qube?

I have the same fedora-34 template for sys-net and personal qube. sys-firewall uses the autogenerated fedora-34-dvm.

Did you change any firewall rules?

No.

Edit: Formatting.

What template are you using for sys-net and sys-firewall ?

sys:net fedora-34, sys-firewall fedora-34-dvm

If you’re using fedora, you could consider trying debian to see if it’s a template-related issue.

I will try. How do I do that?

Also what does /etc/resolv.conf look like for sys-net and sys-firewall ? If it contains ISP IPs, please do NOT include them here.

[root@sys-net  ~]# cat /etc/resolv.conf
# Generated by NetworkManager
search fritz.box
nameserver 192.168.178.1

[user@sys-firewall ~]$ cat /etc/resolv.conf 
nameserver 10.139.1.1
nameserver 10.139.1.2

Fyi: I can run and browse firefox in sys-firewall without issues.

Before changing templates, try this in sys-net:

[root@sys-net ~]# sed -i '3i nameserver 1.1.1.1' /etc/resolv.conf

After that your /etc/resolv.conf should look like this:

[user@sys-net ~]$ cat /etc/resolv.conf
# Generated by NetworkManager
search fritz.box
nameserver 1.1.1.1
nameserver 192.168.178.1

Then try ping from personal again.

If that still doesn’t work, try switching templates:

[user@dom0 ~]$ qvm-prefs QUBE template debian-11

You could try changing one by one, so sys-net first, then ping, sys-firewall, ping, personal, ping.

Before changing templates, make sure to shutdown the qube you’re editing.

Oh, then it might not be a sys-net issue.
Run cat /etc/resolv.conf in your personal qube.

It’s not a DNS issue since he can’t ping IP as well.

[user@personal-fedora-34 ~]$ cat /etc/resolv.conf 
nameserver 10.139.1.1
nameserver 10.139.1.2

True, I didn’t see the ping result in the personal vm when I wrote my reply.

It just broke after a restart two days ago.

Maybe there is something wrong with sys-firewall config.
Create new AppVM sys-firewall2 based on fedora-34 template, Networking set to sys-net and check the “Provides network access to other qubes” option.
Then set sys-firewall2 as personal qube net VM and check if network will work.

I tried it. I did not have network access in the personal qube. I didn’t even have network access in the sys-firewall-2 qube.

@deeplow You just changed the name of the topic. I would not say that it’s about routing issues with VPN. I have problems connecting to the internet and for some reason the vpn qube still provides network (allthoug very slow). So it’s a more general problem.

Ah. Sorry. I misinterpreted the thread! I’ve changed it back.

It might’ve been a misconfiguration then. Try again with these commands in dom0:

$ qvm-create -C AppVM -t debian-11 --prop maxmem=0 --prop memory=600 --prop netvm=sys-net --l green sys-firewall-test
$ qvm-prefs sys-firewall-test provides_network True
$ qvm-start sys-firewall-test 
$ qvm-prefs personal-fedora-34 netvm sys-firewall-test

Restart the personal qube and try to ping again.

Compare the output of qvm-prefs and qvm-features between sys-gateway and sys-firewall2 (the test sys qube that’s not working) in dom0 terminal:

diff -y <(qvm-prefs sys-gateway) <(qvm-prefs sys-firewall2)
diff -y <(qvm-features sys-gateway) <(qvm-features sys-firewall2)

No success. I did not have internet access in both personal and sys-firewall-test

[user@dom0 Desktop]$ diff -y <(qvm-prefs sys-net) <(qvm-prefs sys-firewall-2)
audiovm               D  dom0					audiovm               D  dom0
autostart             -  True				      |	autostart             D  False
backup_timestamp      U						backup_timestamp      U
debug                 D  False					debug                 D  False
default_dispvm        D  None					default_dispvm        D  None
default_user          D  user					default_user          D  user
dns                   D  10.139.1.1 10.139.1.2			dns                   D  10.139.1.1 10.139.1.2
gateway               D  10.137.0.5			      |	gateway               D  10.137.0.31
gateway6              D  					gateway6              D  
guivm                 D  dom0					guivm                 D  dom0
icon                  D  servicevm-red			      |	icon                  D  servicevm-green
include_in_backups    D  True					include_in_backups    D  True
installed_by_rpm      D  False					installed_by_rpm      D  False
ip                    D  10.137.0.5			      |	ip                    D  10.137.0.31
ip6                   D  					ip6                   D  
kernel                D  5.10.104-3.fc32			kernel                D  5.10.104-3.fc32
kernelopts            D  					kernelopts            D  
keyboard_layout       D  de+neo+				keyboard_layout       D  de+neo+
klass                 D  AppVM					klass                 D  AppVM
label                 -  red				      |	label                 -  green
mac                   D  00:16:3e:5e:6c:00			mac                   D  00:16:3e:5e:6c:00
management_dispvm     D  default-mgmt-dvm			management_dispvm     D  default-mgmt-dvm
maxmem                -  0				      |	maxmem                D  4000
memory                -  400				      |	memory                D  400
name                  -  sys-net			      |	name                  -  sys-firewall-2
netvm                 -  None				      |	netvm                 -  sys-net
provides_network      -  True					provides_network      -  True
qid                   -  5				      |	qid                   -  31
qrexec_timeout        D  60					qrexec_timeout        D  60
shutdown_timeout      D  60					shutdown_timeout      D  60
start_time            D  1655281229.0			      |	start_time            D  1655288676.96
stubdom_mem           U						stubdom_mem           U
stubdom_xid           D  4				      |	stubdom_xid           D  -1
template              -  fedora-34				template              -  fedora-34
template_for_dispvms  D  False					template_for_dispvms  D  False
updateable            D  False					updateable            D  False
uuid                  -  b4cd7707-fb65-4424-8ddf-76d68762beaa |	uuid                  -  b5219a64-d7d2-40fc-8d12-0c22dade1c14
vcpus                 D  2					vcpus                 D  2
virt_mode             -  hvm				      |	virt_mode             D  pvh
visible_gateway       D  				      |	visible_gateway       D  10.137.0.5
visible_gateway6      D  					visible_gateway6      D  
visible_ip            D  10.137.0.5			      |	visible_ip            D  10.137.0.31
visible_ip6           D  					visible_ip6           D  
visible_netmask       D  				      |	visible_netmask       D  255.255.255.255
xid                   D  3				      |	xid                   D  16

[user@dom0 Desktop]$ diff -y <(qvm-features sys-net) <(qvm-features sys-firewall-2)
menu-items         org.gnome.Terminal.desktop org.gnome.Nauti |	menu-items  org.gnome.Terminal.desktop org.gnome.Nautilus.des
servicevm          1					      |	servicevm   1
service.clocksync  1					      <

With this setup:
sys-net->sys-firewall->personal
What’s the output of ip a and ip r commands in sys-firewall and personal qubes?
Can you ping sys-firewall IP from personal qube?