Providing route to proxy/caching service qube to offline LAN

In my Qubes workstation the network topology is approximately like this:

  • WAN ↔ NIC 1 ↔ sys-net-wansys-firewall-wan ↔ [qubes that access internet]
  • Isolated LAN ↔ NIC 2 ↔ sys-net-lansys-firewall-lan ↔ [qubes that access the offline lan]

I.e. the workstation connects to two independent networks and that independence extends to the qubes that access these networks, as it naturally should.

I’d like to mess with this clean separation- I want to provide the machines in my LAN (accessed in Qubes through sys-firewall-lan, NIC 2) a route to a proxy/caching service qube (connected to the the internet through sys-firewall-wan, NIC 1) for package updates, which otherwise need to be uploaded to these machines by way of sneakernet.

Is this practical, without being quite devious? I think I would need a bridging qube, but in the natural order of things a qube has a single netvm. So, at best this would be complicated.

You can use Qubes RPC to connect the sys-net-lan to proxy/caching service qube like this:

E.g. allow input connection in sys-net-lan firewall to port 444 and passthrough connections to sys-net-lan port 444 to your proxy/caching service running in proxy/caching service qube on port 444.

1 Like

Thank you! That sounds promising.