Is it possible to set up sys-net and sys-firewall as a private LAN router?

Quben · March 29, 2024, 1:53am

I have a sys-net qube connected to a bunch of client computers via crossover ethernet cable. I want it to:

Act as an automatic DHCP server for serving IP addresses to these clients
Allow clients to talk to each other (preferably via sys-firewall but that may be a tall order, plus not super necessary)
Allow clients to talk to qubes via sys-firewall (client ↔ sys-net ↔ sys-firewall ↔ service qube)

I’ve done the router thing successfully before using a single standalonevm with an external distro. I’d rather do it the proper Qubes way this time if possible and not super impractical. Can someone help? Currently sys-net does not seem to be serving DHCP, after setting the client connections to “Shared with other computers” in NetworkManager. It does show each interface as 10.42.x.1 in ip addr show and the NM connection notifications respond appropriately to the cable getting dis/connected, but the clients time out while trying to connect. What’s the Qubes way of setting up DHCP?

Note that no internet is involved here. This sys-net is only connected to other local PCs.

apparatus · March 29, 2024, 4:37am

Add this nft rule in sys-net /rw/config/qubes-firewall-user-script:

nft add rule ip qubes custom-input iifname "enxXXXXXXXXXX" meta l4proto udp udp dport 67 accept

Change enxXXXXXXXXXX to your ethernet interface name.

Impossible unless your Qubes OS has multiple ethernet ports and you have all of the clients directly connected to Qubes OS using cable and not using switch.

It should work but you will need to add the DNAT nft rule in sys-net /rw/config/qubes-firewall-user-script to change the DNS server:

nft flush chain ip qubes dnat-dns
nft add rule ip qubes dnat-dns iifname "enxXXXXXXXXXX" ip daddr 10.42.0.1 udp dport 53 dnat to 10.139.1.1
nft add rule ip qubes dnat-dns iifname "enxXXXXXXXXXX" ip daddr 10.42.0.1 tcp dport 53 dnat to 10.139.1.1

apparatus · March 29, 2024, 5:00am

apparatus:

nft flush chain ip qubes dnat-dns
nft add rule ip qubes dnat-dns iifname "enxXXXXXXXXXX" ip daddr 10.42.0.1 udp dport 53 dnat to 10.139.1.1
nft add rule ip qubes dnat-dns iifname "enxXXXXXXXXXX" ip daddr 10.42.0.1 tcp dport 53 dnat to 10.139.1.1

Or maybe this would be better:

nft add chain ip qubes custom-dnat-dns '{ type nat hook prerouting priority dstnat - 1; policy accept; }'
nft add rule ip qubes custom-dnat-dns iifname "enxXXXXXXXXXX" ip daddr 10.42.0.1 udp dport 53 dnat to 10.139.1.1
nft add rule ip qubes custom-dnat-dns iifname "enxXXXXXXXXXX" ip daddr 10.42.0.1 tcp dport 53 dnat to 10.139.1.1

Quben · March 29, 2024, 6:44pm

Yay progress! That command allowed my clients to get IPs instead of timing out. So, port 67 is DHCP, I’ll have to remember that.

Now, how can I get them to talk to each other? Ping responds with Destination Port Unreachable and any attempts to telnet to open ports give an instant Connection refused. I added this route on each client too but it didn’t fix anything:
ip route add 10.42.0.0/16 via 10.42.x.1

If we still had iptables I could just iptables -I FORWARD 2 -s 10.42.0.72 -d 10.42.2.145 -j ACCEPT and vice versa and it would probably work but nooooo they had to go and change everything up on me send me all the way back to noob square zero

Yeah that’s what I’m doing. Qubes’ sys-net and sys-firewall are the switch in this case.

It’s an offline network, so there wouldn’t be any DNS (unless I’m missing something)