i am currently running this setup
sys-whonix → firewall qube (to hold firewall rules) → sys-vpn → work
if i have firewall rules in sys-vpn set to only be able to access the vpn servers, does it imply that work and all other qubes connected to sys-vpn are essentially firewalled?
it makes sense but qubes is a confusing os, essentially why i’m asking
also is there any way for sys-vpn to bypass whonix? internet connection seems too fast sometimes
I don’t understand your setup. Is it sys-net -->sys-whonix → firewall → sys-vpn → work? If so, it’s not good… You should always have a firewall just before Sys-Net.
Your setup has to be, like this: sys-net → sys-firewall → sys-whonix → sys-vpn → work
or
sys-net → sys-firewall → sys-vpn → sys-whonix → work
Anyway, you must ALWAYS have a firewall after a sys-net.
@Tezeria The link you posted explains the reasons sys-firewall may not be necessary.
So just look at the documentation
And search in the forum, you could find easily why firewall is so important. 
I was under the impression that it was only necessary in front of qubes with qubes firewall rules, like a VPN using the qubes firewall as a killswitch. If one had only, say, sys-whonix → sys-net, I didn’t think it was necessary because sys-whonix (trusted) would handle firewall rules for preceding qubes, and sys-net (untrusted) wouldn’t need to handle any firewall rules.
Are you sure it’s trusted? How are you sure? 
You can’t be sure, that’s why Qubes-OS uses virtualization
Qubes doesn’t remove the need for trust. Sys-net is considered untrusted because it has a lot of exploitable buggy software and hardware in the network stack, so allowing it to handle firewall rules isn’t recommended because any compromise would have the option to disable firewall rules. In this you are right.
Sys-whonix, however, is considered* trusted presumably because it handles TOR connections, a sensitive task. Sys-whonix is not significantly less trusted than sys-firewall. Neither have much user stuff going on by default (sys-whonix marginally more so by having TOR-related controls). It also defaults to black in the default install, which would seem to indicate it’s considered trusted by the project as well. If it were ever compromised, it could compromise all TOR traffic as well, meaning it’s a fairly sensitive VM that should* also be trustworthy enough for firewalling. *Ultimately it’s up to each user to decide what to trust, but there’s no inherent risk or reason not to trust sys-whonix that I’m aware of (if it’s used properly).
Regardless, there would still be no need for a firewallVM in between sys-whonix and sys-net because the qube only handles firewall rules for the qubes directly connected downstream. If you don’t trust sys-whonix, you would need a firewall in between sys-whonix and your AppVM(s) connected to it downstream. (And you also should use a completely different approach to accessing TOR.)