haha… what I did was to remove ip saddr 192.168.0/24 also from sys-firewall custom-forward and custom-dnat-droppy. I removed it from /rw/config/qubes-firewall-user-script but didn’t restart it. I just restarted and it works now.
In order for the rule to work with ip saddr I need to specify the exact IP from the machine that I request the webserver (in the network of RouterA) or to put that network (192.168.1.0/24 which is different than the network that RouterB has which is 192.168.10.0/24)… damn…
Wait… I remember I tried from a device connected to RouterB while I had ip saddr 192.168.10.0/24 on sys-net and sys-firewall and didn’t work…
@apparatus I just realised something. The MAC Address on the wifi interface wls6f0 is keep changing after sys-net restart. That’s why the RouterB is not allocating the “right” IP to my Qubes machine.
Is there a way to keep the MAC Address stable on wifi interface? Im wondering if it’s the same behavior on eth interface.
Another very odd situation happens with sys-firewall. I restarted it several time and I was checking nftables when I discovered that sometimes the following rules appear wrong even though I didn’t change anything.
chain custom-forward {
iif 2 ip daddr 10.137.0.18 tcp dport 8989 ct state established,related,new counter packets 0 bytes 0 accept
}
chain custom-dnat-droppy {
type nat hook prerouting priority filter + 1; policy accept;
iif 2 tcp dport 8989 ct state established,related,new counter packets 0 bytes 0 dnat to 10.137.0.18
}
Note the iif 2 instead on iif == “eth0”
With iif 2 all the config doesn’t work. I need to add new rules with iif == “eth0”. But I don’t understand why and what changes that value. If I put it in /rw/config/qubes-firewall-user-script why it doesn’t keep it like that?
Qubes OS is using random MAC address for WiFi and persistent MAC address for Ethernet connections by default.
If you want to use persistent MAC address for WiFi then change “Cloned MAC Address” in WiFi connection settings to Preserve or Permanent.
I don’t know what could change iif == "eth0" to iif 2.
You can also use iifgroup 1 instead of iif == "eth0".
After testing it out I’ve found that this is caused by the disappearance of the eth0 interface when you restart the net qube of sys-firewall or set it’s net qube to none.
I guess it’s better to use iifgroup 1 instead of iif == "eth0".
And the firewall guide should be corrected as well.
1 Like
I’ve created PR for this change here:
2 Likes
Qubes OS is using random MAC address for WiFi and persistent MAC address for Ethernet connections by default.
yeah, just found that. The thing is that the “Cloned MAC Address” change in WiFi connection is done only for that SSID where the wireless interface is connected. I suppose if I change the SSID the Clone MAC Address won’t have the value set earlier.
Anyways, Im going to test it.
I am happy that by mistake I found a “malfunction”.
Thank you so much for your time and support in dealing with my noob questions. Despite of some issues with the new Qubes OS and my new machine I really don’t want to let it go. I feel that this is exactly what I need for my work.