In my Qubes workstation the network topology is approximately like this:
- WAN ↔ NIC 1 ↔
sys-net-wan
↔sys-firewall-wan
↔ [qubes that access internet] - Isolated LAN ↔ NIC 2 ↔
sys-net-lan
↔sys-firewall-lan
↔ [qubes that access the offline lan]
I.e. the workstation connects to two independent networks and that independence extends to the qubes that access these networks, as it naturally should.
I’d like to mess with this clean separation- I want to provide the machines in my LAN (accessed in Qubes through sys-firewall-lan
, NIC 2) a route to a proxy/caching service qube (connected to the the internet through sys-firewall-wan
, NIC 1) for package updates, which otherwise need to be uploaded to these machines by way of sneakernet.
Is this practical, without being quite devious? I think I would need a bridging qube, but in the natural order of things a qube has a single netvm. So, at best this would be complicated.