Learning Qubes - virtualization, passthrough, network, other OS, seamless mode, etc

Hello, not currently a Qubes user yet but wanting to, I discovered it after having done a somewhat similar system (but WAY less brilliant and secure !), also based on Xen.
I wanted a “Network-in-a-box” setup to avoid using multiple physical machines (ecology ^^), so I went the route of: Debian dom0 with X(fce), pfsense as a global router/fw, FreeNAS as a global datastore/NAS, a Debian VM for netservices (DNS, NTP, etc), and a few user domUs for apps, one of which is a gaming U with GPU passthrough. You can check my setup here.
dom0 has no direct internet access (except when updating), and only uses “ssh -X” to connect to apps on other Us. The WAN netcard is passthrough’ed to the pfsense machine.
I’ve read a lot of articles in the documentation, but to understand “the Qubes way” fully I have several questions. Don’t hesitate to point me to the documentation i may have missed/read too fast !

My ultimate setup may look like this :

  • using a dom0 for hosting infrastructure VMs for my whole private network: pfsense as router/edge fw, freeNAS as data storage, and an openBSD for netservices
  • using Qubes as a domU for all user-related things

Virtualization (PT=passthrough):

  • i don’t have IOMMU groups (Ryzen 1700X 8c/16t), what are the security implications ?
  • is there a way to PT safely ? Is the driver domain using PT ? (note: I don’t fully understand yet how Xen stub/driver domains work)
  • I’ve read in the docs that nested virtualization is not supported, but Xen manpages tell that a dom0 can run inside a domU. Are the docs only talking about non-Xen nested virtualization ?
  • is XSM/FLASK supported ? I just discovered it in Xen manpages, it seems a nice security feature

Network:

  • would it be possible to use pfSense (or alike) as the firewallVM ?
  • i’ve read in the docs " In order to eliminate layer 2 attacks originating from a compromised VM, routed networking is used instead of the default bridging of vif devices and NAT is applied at each network hop". What I don’t get is that if dom0 has no network stack or access to it, how is it a problem ? To understand why I ask this I need to explain my current setup: for each machine that needs network access, I create a bridge (w/o IP, bridge_stp off and bridge_fd 0) on dom0, and on each bridge I put a pfSense vif and the machine vif. The machine then goes through pfsense to access all other machines (including dom0). It seems layer2 discovery is not possible anymore on dom0 (see for example this link). How do my way compare to Qubes network setup ?

Storage:

  • has root-on-ZFS been tested in Qubes dom0 ?
  • would a freeNAS domU be able to handle storage for VM templates and/or data ?

UI integration:

  • how is seamless mode handled for a Win VM, how do QWT works and how can I adapt it to my vanilla Xen ? I want to learn how it’s done in Qubes ! My win7 domU has a PT GPU and I’m fed up with manual screen switching, and VNC is a bit a pain to use with multiple screens.

PS: sorry for the long post, and should I split this post into several ones for easier discussion ?

Thanks and have a nice day !
zithro

Are you kidding?

Why would anyone want to run a TrueNAS in a virtual machine on any desktop machine? That doesn’t make sense. The massive cpu and memory requirements would consume and reverse any performance gains, not to mention the massive attack surface it presents.

If you can afford the hardware to run such a monstrosity, maybe you should try Qubes on a spare machine first, since you mentioned you haven’t tried Qubes yet. I don’t think you quite understand the intention of Qubes yet. That’s quite a wish list though. Certainly would be interesting.

Because it’s an easy to use ZFS backed host: encrypted datasets/ZVOLs, replication, snapshots, …
On current CPUs it’s not really demanding, and can run on as few as 8GB RAM (I run my 2 installs since 4 years). Also, my use case would be to use FreeNAS concurrently to Qubes in a separate domU. The attack surface is the same as having a NAS in your network.
After this post I’m gonna try nested virtualization (Qubes as a domU), so I’ll have more info to share !
I understand the intention of Qubes, and you have to admit there are several use cases. Plus I read Qubes is thinking about running some parts in the cloud, which is no more different than having a “home cloud” !
But I have to admit that if an underlying domain can access Qubes memory, it cannot defend itself from it, that’s why I asked about XSM/FLASK.

Should I understand that my post looks like more of a wish list than a list of questions ? That wasn’t the intention ^^

Tip: yes. Generally this is better. Ideally one topic / issue per post. This way it can be re-used when others want the same (specific) thing.

1 Like

Ok, will do that then ! Be prepared for the flood, as you can see I have many questions ^^
Should I create the new posts in “General discussion” or “User support” ?
Also, I’ve read some people are reading the forum through mail, so what’s the policy on edits ? Do people get the edited post as a new mail ?
TIA !

No.

1 Like

If you need help with your problem, or you have a question about configuration, choose User support. If you want to just discuss something, choose General discussion.

1 Like