Internet vs LAN

A couple of years ago I tried Qubes and abandoned it. I want to try again, but wanted to ask how to set up networking/firewall for this config:

a VM (disposable, lilkely) that can access the internet, but can’t access local LAN resources. I’d like to at least isolate if from my NAS, or possibly all devices on the LAN

a VM that can access the local LAN but not the internet.

On a normal Qubes setup from the installer, if you use any qube connected to sys-firewall, then it will not be possible to reach the local network unless you create a forward rule inside sys-firewall itself.

If you connect a qube directly to sys-net and use a firewall rule on the entire local subnet, you will only be able to access the local network.

It’s not blocked by default, you need to block it explicitly using Firewall tab in qube Settings if you want to whitelist or qvm-firewall in dom0 terminal if you want to blacklist or whitelist.
You can either configure firewall rules for internet-only or lan-only qubes separately for each of them if you don’t have too many of them or you can create netvms sys-internet and sys-lan and use them as your qubes netvm to limit the internet/lan access for them.

Example configuration:
Create sys-internet netvm connected to sys-firewall that can only access the internet without LAN:
sys-net ↔ sys-firewall ↔ sys-internet ↔ internet-only-qube
To block the LAN access for sys-internet you need to blacklist your LAN subnet by running this command in dom0 terminal (assuming your LAN subnet is

qvm-firewall sys-internet add --before 0 match dsthost= action=drop

Create sys-lan netvm connected to sys-firewall that can only access the LAN without internet:
sys-net ↔ sys-firewall ↔ sys-lan ↔ lan-only-qube
To only allow the LAN access for sys-lan you need to whitelist your LAN subnet by following this guide:

Assuming your LAN subnet is then you need to add new entry with Address set to and Port/Protocol any/any.

Now qubes connected to sys-internel will only have access to the internet without access to LAN and qubes connected to sys-lan will only have access to the LAN without access to internet


My bad, my rules are set to block it and I forgot about it. Good catch.

Thanks for all thee responses! It sounds pretty strait forward. I’ll likely create 3 FirewallVMs: Internet only, LAN only and unrestricted.

Basically I want to do all my web browsing, email and zoom/discord in a disposable VM that only can access the internet. I don’t want something malicious messing with my SAN.

I’ll have a VM with LAN access for working on documents, which I’d back up to the NAS.

I may use unrestricted for Moneydance so it can download transactions from the web, and save the register to the NAS.

I was reading the documentation a bit on the firewall. Am I correct that there can be per-vm firewall rules? If so, couldn’t I just create the appropriate rules for the three cases I have:

  • forward everything, regardless of destination
  • forward only if to local network ( in my case)
  • forward only if NOT to local network

I could then set up one of the three above for each vm.


I finally verified this. I set up my personal qube to limit outgoing connections to only via the qubes manager gui. That was pretty simple.

I then used the qvm-firewall command to create a configuration that would prevent outgoing connections to

0 accept - - - dns - - -
1 accept - icmp - - - - -
2 drop - - - - - -
3 accept - - - - - - -

The commands were:

qvm firewall work add action=accept specialtarget=dns
qvm firewall work add action=accept proto=icmp
qvm-firewall work add action=drop dsthost=
qvm-firewall work add accept

In my personal qube, I can access local devices (web pages, samba shares, etc), but not internet resources.

In my work qube, it is the other way around.

Since I wanted to apply the same rules to more than one qube, I changed it into a script:

qvm-firewall $1 reset
qvm-firewall $1 del accept
qvm-firewall $1 add action=accept specialtarget=dns
qvm-firewall $1 add action=accept proto=icmp
qvm-firewall $1 add action=drop dsthost=
qvm-firewall $1 add accept
qvm-firewall $1 list