IP Address configuration?

AWhite · December 14, 2023, 2:56am

Hi folks,

I have a little issue in relation to the virtuals.

I would like to be able to set the networking addresses and subnets of each virtual and system.
This way I can set for example…

Sys-Net IP obtained from Router or set manually.
Behind Sys-Net to have a 10.9.5.0/24 address

Behind sys-firewall to have 192.168.98.0/24
Behind sys-firewall2 to have 192.168.43.0/24
Behind sys-firewall3 to have 10.98.23.0/24

And etcetera… to be able to set each like I would normally using VDE.
This way I can create a completely self-contained virtual network. Like having one HUB and multiple machines connecting to it, and the DNS/DHCP on that HUB to have full control over the network. Not jsut the firewall/external VM.

This would also allow for multiple external VMs. So I could have many machines connected to multiple networks.

AWhite · December 14, 2023, 3:23am

this table might help…?

		192.168.90.5
	\|
	/		\	\
	10.5.4.3		10.5.4.9	\|
	/		/	\|
\|	- 192.168.76.3	\|	- 192.168.12.3	\|
\|	- 192.168.76.4	\|	- 192.168.12.4	\|
\|	- 192.168.76.5	\|	- 192.168.12.5	\|
			\	\|
			\|- 10.8.4.3	\|
			\|- 10.8.4.5	\|
			\|- 10.8.4.9/10.5.4.78	-/

nealr · December 14, 2023, 4:51am

You can configure multiple sys-net VMs. I started with the base and added one that has a manual OpenVPN config on it.

You can attach one or more firewalls to network VMs.

There is an article about creating a ProxyVM - basically a shim between things you use and network or firewall. This article references some very old Fedora links that are now missing. I would like to fix this, but I’m new here, and I can only move just so fast when it comes to new stuff.

Things I have not seen with Qubes yet - the VirtualBox notion of a “Host-Only Network”. I do not know how to take a /24 of private space and let multiple VMs talk to each other. I also have not yet seen how to configure a VM to provide a daemon, but there are articles about implementing Pi-hole for use with VMs, so I believe it’s possible.

Be prepared to hear “Can’t do that with Qubes because of security concern X”, I’ve now encountered this a couple times. Qubes only looks like Linux, there is a “Qubes Way” to get things done, takes a bit to digest.

lilith · December 14, 2023, 5:16am

I noticed this, too. I don’t want to add a question unrelated to this thread, but have been trying to find the relevant missing information to be able to try that setup. Until I do, I’ve setup a VM using my VPN app ran through a cloned firewall to sys-net. I set the app to autostart, and it does, but I have to sign into the VPN each startup. Haven’t changed that yet. With this setup, I haven’t figured out yet how to set firewall rules for the VM. I do check that the IP is correct, and no DNS leaks, but know that having the firewall rules in place would be better.

AWhite · December 14, 2023, 6:18am

I can use other operating systems that are better firewalls for control and all,but it doesn’t work with qubes well enough.

I can disable things and reconfigure things to get it working, but it means I have to create 3 times as many virtuals.

1 external, one for each internal, and one behind the internal to act as the intervm networking to allow them to do what they are supposed to.

So I want to turn 3 virtuals into 1.

I always have the firewalls,and doing this was a piece of cake in qubes 3. But then they broke that.

But you can’t install qubes 3 or 2 or 1 on recent hardware. Have to do it virtually and then hope like hell it boots.

If they were not using SystemDumb then I would have less issues. And this new NTFW whatever it is thing instead of just iptables makes it harder too.

If it was just iptables and have the private img cloned then I could have it done in seconds using my old scripts.

I did not use VPNs or anything like that. I just used Linux to its full extent.

If they made a version that did not require MicroSoft SystemDumb then I could make a system that operates 10 times faster and uses less than half the resources.

But I can’t rewrite the QubesManager at this time because I don’t know their commands to do everything there that they are trying to do, so it’s slow. I had it working for Qubes 3 and it used 1/30 th of the resources compared to their QubesManager at the time.

I had even built all my networking stuff into it.

If they can provide the details on how to change and set up all this stuff then that would make life so much easier.

I keep thinking of going back to qubes 1 when they didn’t have SystemD and just use that. But that has too many se urity holes in it these days unfortunately.

AWhite · December 14, 2023, 6:30am

No, Qubes IS Linux. It is Fedora on XEN.

VPN Gateway won’t work for what I want.

I have Host-Only Network, that’s easily doable in Qubes 4.2 or even 4.1.
I actually have that set up for one virtual on one port for communication.

They say it is a security concern, but I found no issue with it luckily for what I was doing since I have a well locked-down machine, more than just the basic Qubes security.

I can connect from VM to VM directly and have them do networking that way, but I want to use preferrably something like VDE like I would on just a normal Unix based machine.

So it’s something that I can do, creating a complete /24 subnet. But it’s annoyingly complicated as it would take 3 virtuals to create the connection, and then more configurations because the private.img doesn’t get cloned for some stupid reason. And they didn’t even leave in the OPTION to have the private.img from the template cloned either.

So no, no Pi-Hole…

I have VMs running many different daemons, that’s the easy part. It’s jsut the general inter-communication with their “new” systems they have in place that make things a million times more difficult to secure and set up than it used to be.

I used to just set up a few iptables rules and I’d have new subnets under the network and along with host-only networking, not to mention DNS servers for those individual networks.

Used to have so much done, then they changed things for no reason…

AWhite · December 14, 2023, 6:32am

Check this post for your inspiration for your Host-Only networking.

nealr · December 14, 2023, 7:12am

Art work that was formerly possible in prior versions is no longer within reach for Qubes 4. Got it.

I’ve sampled it periodically since 2013 or 2014, now is the first time I’m going to stick to it and actually do some work with it. Just in the last 48 hours I actually did something work related with the system, a first for me.

These things you describe really sound to me like Proxmox would be better suited for building them. The constraints there have to do with the fact that it can be clustered, rather than the focus on security above all else that we get with Qubes.

AWhite · December 14, 2023, 8:14am

Things that were doable are still doable, just don’t know how to do them yet.

I’ve been using Qubes since pre 1, so I’ve seen it grow from brilliant to decent to okay to alright.
If they used an operating system that was NOT a “testing ground” for new things, then that would be a bit better in my opinion.

I have used ProxMox before, but that will not suit what I’m currently attempting to so, and would not be good for my PC that I use for so many things on a daily basis from Coding Applications to Website Development, Secure Server Access, Remote Assistance and much more.

Qubes can’t be clustered?
I’ll have to look into that again, because it used to be able to be from what I remember for server side applications.

nealr · December 18, 2023, 2:40am

Qubes achieves security by being a single user on a single system and there’s no sense of any high availability function like one can arrange with three machines running Proxmox.