Is it possible to have groups of VMs to connect to Internet through multiple internet connections, let’s say, for example, group1 VMs will connect via ethernet, and group2 via WiFi-1 and so on? A kind of physical isolation on the same machine.
Definitely possible. It’s one of the things that makes Qubes OS so versatile.
Qubes OS in a nutshell.
I’d also create separate disposable sys-net/usb based on minimals for each network interface, each containing only packages and firmware for a dedicated device (meaning, no iwlwifi in a sys-net for ethernet connection and so on…)
Thanks, but it is virtual isolation on a physical machine…
Any hints on how to achieve it please?
Actually I was looking for a solution to combine bandwidth on my linux/windows OS (figured out both physical&virtual load balancing), and that’s where this idea came for QOS, since combining network bandwidth defeats the purpose of QOS.
I was thinking on these lines, but was skeptical about its possibility. Supposing that creating sys-net1/sys-usb1/sys-whonix-1 (say sysnuw1 group) for additional interfaces is possible, where to start with, when trying to create a NetworkManager Applet for the sysnuw1 group? Am I in the right direction here?
I hope this is possible.
Qubes’ possibilities are virtually endless. You’re on the right place, don’t give up.
Remember, when creating/organizing you basically always start from templates untouched (minimal, preferably, as I said)->cloning templates to Template1->installing software in Template1 for intended use (in the way from above link, for example)->creatingAppVMs1/dvm-templates1->creating-dispVMs1/sysVMs1
not the other way
There’s no applet for the group. Only for the sys-net1, but essentially you probably wanted to ask that, so basically I believe you are
I mentioned sys-usb in case of USB network devices. If you don’t have them, you don need sys-usb. What you need is sys-firewall, so basically, sysnuw1 group would be
and you’d chain your AppVM or dispVm to at least to a sys-firewall1 for clear net, or to a sys-whatever1 for non-clear or vpn net.
Excellent info, thanks a lot!!
I actually missed out mentioning firewall in the group, and yes, the applet was for sys-net* of the group. Now I understand that the network connections of each interface can be locked to the ssid via the NM Applet. Have one last question: the applet shows the title “[sys-net] Network Connections” as for now. So will there be two applets or only one with two sections if I created a sys-net1?
I guess I will figure it out. lol.
You are welcome.
As many as created/running sys-nets are.
There’s no reason not to. Arm yourself with patience, repeat no mistake I did not to start with minimals from the very beginning and beside it’ll be immensely rewarding, you’ll spare tremendous amount of time to do other nice things with your life, beside this nice one too - Qubes OS.
If you’re serious with Qubes, you’ll conclude earlier or sooner minimals are the point.
I tested the setup for creating 3 groups of sysnet/sysfirewall/syswhonix through three different networks.
I have the following:
Devices in qubes settings for Internal Network cards
04:00.0 Ethernet Controller: Realtek Semiconductor Co. Ltd (Wired)
05.00.0 Network Controller: Mediatek Corp (Wireless)
EXTERNAL Network cards that appear as USB devices
Digisol wireless network card
Panda wireless network card
I was able to route the ethernet to sysnet/sysfirewall/syswhonix group and the wifi to sysnet1/sysfirewall1/syswhonix1 group by allowing only the ethernet device to the sysnet and wifi device to sysnet1 in the respective QubesSettings.
How do I add the external wifi cards to sysnet2 and sysnet3?
sys-usb’s where those external wifi cards (will) reside, will be your sys-net’s for them. Just be sure check box “provides network” is checked in Settings. If needed, install additional packages for netVMs behind the link I posted above. Be aware that this is security questionable, especially if both usb ports are on the same controller.
Do I need to create sys-usb’s for each group?
Also, I cloned all the sys-nets just to keep all settings as default. Where do I find “provides network”? And is it required in my case?
If you have separate controllers or if you want to use them non-concurrently. Beware where your keyboard and mouse are…
Ok let’s say I hold only a single sys-usb qube.
How do I find out what controllers I need? How can I make them available under devices in settings? Are there any generic controllers for external USB wireless network cards?
And what link/additional packages?
A possibly-useful “case study.”
My system has both wifi (one controller) and ethernet (one controller). Almost immediately after first installing qubes, as a complete newbie, I took the default templates sys-net and sys-firewall and cloned them to sys-net-ether and sys-firewall-ether. (likewise with the DVM and the virtual machines.) I then went into sys-net and turned off the ethernet controller; I went into sys-ether and turned off the wifi controller. I made sure the entire ethernet “chain” was properly connected up. (Right after cloning, all those ethernet qubes will show the old qubes as their netvms or templates…you have to fix that!)
Start up sys-net-ether and sys-firewall-ether, and now you have two, distinct, networking setups. I can then have my AppVMs use sys-firewall, sys-firewall-ether…or neither (like Vault).
This enforces a separation between the internet and my home ethernet network. Since a qube can only have one network vm, it has to choose one or the other but not both. I additionally use color to denote which network a qube can be connected to: red, yellow and orange for wifi, purple for ether, and green, blue and gray are offline (no connection).
Later on, I did do a build from the ground up as enmus advocates, making sure that the two net templates only had drivers for what they were going to use (no wifi drivers on the ethernet template, and vice versa)…but the point is you can do what I did right out of the box! And presumably, you can run as many controllers as you want this way at least until you run out of names. And you can do it now, without having to deal with minimal templates.
One caution: until you learn how to get updates, the clock, etc. to NOT default to a qube named sys-net or sys-firewall, I would make sure that whatever sys-qubes connect to the internet, are named sys-net and sys-firewall. (I tried naming them sys-net-wifi and sys-firewall-wifi—then I discovered what I’m trying to tell you about here.) Otherwise your system will create those qubes as soon as you do an update, and that will likely cause problems.
Apologies, but the use case you have mentioned has already been accomplished, thus:
There are only two network related devices in the default sysnet settings like I have listed above. These were re-routed as I have explained above. Ethernet to sysnet and wifi to sysnet1.
I need to route two more networks, both through external USB wifi network cards, through sysnet2 and sysnet3.
The million dollar question is, how to add appropriate controllers to sysnet2 and sysnet3 to pick the external USB wifi network cards?
What I need is:
- Ethernet driver internal - default - sysnet group = DONE
- Wifi Driver internal - default - sysnet1 group = DONE
- Wifi Driver External 1 - sysnet2 group
- Wifi Driver External 2 - sysnet3 group
- Wifi Driver External 3 - sysnet4 group
N. Wifi Driver External N - sysnet(N+1) group
The idea is to have groups of VMs to route through specific networks…For example…Debian11VMs through sysnet/sysfirewall/syswhonix, Fedora36VMs through sysnet1/sysfirewall1/syswhonix1,
Standalones through sysnet2/sysfirewall2/syswhonix2.
And all just for the fun of it…since I am experimenting with the systems.
lsusb in dom0 and in sys-usb
Ah, I see. (Well, hopefully I didn’t waste my time on that–someone else might find that useful, someday.)
I assumed (implicitly) that the controllers would all show up in the devices tab in the settings dialog.
Not at all!
QOS depends on documentation by users…That’s the beauty of it and opensource projects…I feel.
lsusb in dom0 is not giving any output, both in $ and #
If you have sys-usb then controllers are likely hidden from dom0, so
you will not see output.