In my Qubes workstation the network topology is approximately like this:
- WAN ↔ NIC 1 ↔
sys-net-wan↔sys-firewall-wan↔ [qubes that access internet] - Isolated LAN ↔ NIC 2 ↔
sys-net-lan↔sys-firewall-lan↔ [qubes that access the offline lan]
I.e. the workstation connects to two independent networks and that independence extends to the qubes that access these networks, as it naturally should.
I’d like to mess with this clean separation- I want to provide the machines in my LAN (accessed in Qubes through sys-firewall-lan, NIC 2) a route to a proxy/caching service qube (connected to the the internet through sys-firewall-wan, NIC 1) for package updates, which otherwise need to be uploaded to these machines by way of sneakernet.
Is this practical, without being quite devious? I think I would need a bridging qube, but in the natural order of things a qube has a single netvm. So, at best this would be complicated.