I want to use my Qubes computer to route traffic for other computers (all wired directly with crossover cables). Each computer needs to go through its own net vm, and ideally also have access to network services hosted inside Qubes app vm’s. How do I go about the whole routing thing? The furthest I got was figuring out how to attach specific NIC’s to specific qubes but that’s about it… I have no idea how to establish a connection like this (without a router in between)
Thanks in advance!
PS: The computers in question are a mix of Linux and Windows machines. I assume getting the Linux boxes hooked up will be easier so let’s start with that, hopefully I can figure out the Windows stuff on my own once I’ve done it in Linux
It’s possible that you’ve already sorted this out.
If not, then it’s relatively simple to do. (simple here depends on
your level of Linux knowledge, as there’s very little Qubes specific
work to be done.)
Many problems that people have in Qubes are actually not Qubes specific.
This is one of those.
You can find many guides online to using a computer as a gateway/router,
and those should help you. The only Qubes specific part is that you have
to do this in individual qubes, (and possible install software in to a
template.)
You don’t say, but I assume that you want to route all the traffic
outbound via sys-net. It’s been a while since I did this but this should
do -
Select your qube, and change the settings to use HVM mode, deselect
memory balancing, and increase the memory to (say) 800M - you may need
to adjust this later depending on the use. Then attach the NIC on the
“Devices” tab.
Start the qube, you’ll see you have an eth0 - the Qubes networking, and
an eth1 - the new NIC - probably has some different name.
Configure the NIC with a static IP address.
edit /rw/config/rc.local to enable forwarding - add the line echo 1 > /proc/sys/net/ipv4/ip_forward
The Qubes firewall rules already provide for POSTROUTING masquerade, so
traffic from the attached computer will leave the qube with the IP
address of that qube.
This means that all you have to do is provide a rule to forward traffic
coming in from eth1: iifname eth1 counter packets accept will do. You need to insert this
in the FORWARD chain before the final drop rule. Run nft -a list table filter
to get the handle of the final drop rule, and put the new rule before
that: in /rw/config/rc.local nft insert rule filter FORWARD position HANDLE_NUMBER iifname eth1 accept
You’ll need to ensure that the NIC config is retained between restarts,
and you can do this either by setting it in rc.local, or by using bind-dirs to store the config between restarts.
First of all thank you so much for helping me!! I thought this was a lost cause. I tried what you said but it didn’t quite work
I created a qube as you described (HVM mode 800MB RAM with no balancing) and added the remaining three NICs (the fourth one was given to sys-net since this 4-piece NIC seemed to disable my motherboard’s internal NIC). The qube launches fine, but it doesn’t seem to detect the three NICs. As a matter of fact there are no /dev/eth devices. I’m assuming the net vm internet device is /dev/net but I could be wrong. I looked through all devices and there’s no naming sequence that includes either three or four devices except for drive partitions.
Maybe I have to do something special in order to “activate” the NICs? I had no problems when I gave sys-net its NIC, it accepted it just fine as if it were the old one it had been using. Maybe I’m missing something sys-net has that my router qube doesn’t. I tried giving it “provides network” as well as the “clocksync” service but nothing changed.
I would start by attaching just one, rather than three.
Look in the log for that qube - sudo journalctl -b will show you the
log since the last boot. Step through the log, looking for any errors,
and anything relating to NICs prior NetworkManager entries.
You may see advice re missing firmware.
Hey sorry for the late reply - I broke my system and it’s gotten me a while to get back to playing around with this. I looked at the log and found nothing of interest… I looked for keywords such as eth0, eth1, NetworkManager, and the card’s model number. Plenty of references to eth0 and NetworkManager although there’s still no /dev/eth0. No eth1 or card model number references though.
Only interesting thing I saw is a couple entries that looked like this:
NetworkManager[500]: {1667259319.7995] manager: (ens7) new Ethernet device (/org/freedesktop/NetworkManager/Devices/2)
Only problem is there’s 3 of those devices listed while there should only be two NICs (the regular sys-firewall and the attached NIC). Also all of the information following them appears to be the same, with nothing outstanding as it being my attached NIC…
I don’t think it could be a driver/firmware issue because sys-net is running off the same NIC and it works fine.
Do you know anything else I can try? Thanks again!
So I figured out the NIC issue… I was really expecting there to be /dev/eth0, dev/ens7 etc. but it doesn’t work like that lol. Now that I have a NIC attached (ens7) I tried your commands but got stuck at the iifname. I don’t have that command and I can’t seem to figure out what package it comes with
