Questions RE: OpenBSD Netvm setup

I’m currently setting up the OpenBSD NetVM following this guide: Integrate pfSense/OPNsense VM on QubesOS · Issue #1 · jcholsap/freemod · GitHub

I’ve got through it all, but the issues / questions I have is this:

  1. In this discussion { Configuring Networking in OpenBSD HVM - #5 by unman } @qubesnewb raises the issue of networking with disposable VM’s using OpenBSD netvm and suggests the following work around

use this in /etc/hostname.xnf0 :

inet 10.137.0.35 255.255.255.0
!route add -iface -cloning 10.138.7.37 10.137.0.35

and in /etc/mygate :

10.138.7.37

the !route in hostname.xnf0 makes sure bsd knows how to reach the default gw since its separate subnet

Are these the only changes I need to make (adjusted for my variables) to get disposables to run? Almost all my net activity is through disposable appvms.

  1. Is it possible to run OpenBSD disposable, would there be value?

So any advice on how what is required to get disposables working with OpenBSD netvm would be MASSIVELY appreciated.

In the guide it just references:

Set the "fedora-32-dvm" "NetVM" to "sys-net".
a. This works around Qubes' 10.138.0.0/24 networking on disposable VMs.
b. Repeat for all your DisposableVMs.

When I try this I get “Error: Basic tab: Loops in network are unsupported”

Lastly, when I added services in my sys-firewall

c. Add in “Services” the following:
– i. “clocksync” daemon.
– ii. “qubes-update-check”.
– iii. “qubes-updates-proxy”.
– iv. “qubes-yum-proxy”.

There were no options in the dropdown menu, so I just went custom and wrote the names in, assuming they would be called upon by name. Is this wrong?

Sorry for so much text, thank you greatly for reading & advising! @unman

To clarify, I removed the part about the login. Noob, I know, but I could’ve sworn my Login: root Password: my password was correct, and there must be something more to it.

To add further:

  1. Is it unusual if in a dom0 terminal using sudo I can’t get access to libvirt directory? I’m trying to chase up a log.

  2. Running ifconfig xnf0 I can see that my netmask is reading at 0xffffff00. What is up with that?

“inet 10.137.0.22 netmask 0xffffff0 broadcast 10.137.0.255”

Also no network applet has popped up for openbsd-21-sysnet or any acknowledgement when the ethernet is connected, where firewall has an applet.

Sorry for this confused thread, but I am actively troubleshooting it as I came here (I was feeling hopeless at the time of post).

One thing I think might’ve been the issue is that I had my sys-firewall as a DVM, and obviously the script that tells sys-firewall to redirect all traffic to openbsd-21-sysnet was disappearing after restart.

Is this script the reason that the guide doesn’t mention checking ‘provides network’ for openbsd-21-sysnet? That seems odd to me. Why does sys-firewall have its networking set to none and openbsd-sysnet set to sys-firewall?

Shouldn’t that be the other way around, where OpenBSD-21-sysnet gets net from the NIC, and provides it to sys-firewall?

Also, I am concerned about the fact that I have no services in my services windows, whereas on another computer I do have lots of services when I click the services window. This is confusing to me.

Normally :
qube → sys-firewall → sys-net-[NIC]

Here:
qube → sys-firewall ← BSD-[NIC]

In terms of traffic flow, of course.
But in terms of Qubes networking, no.
That’s why you need to set up routing and forwarding on sys-firewall.

What is providing those services? BSD is outwith the Qubes framework -
you can install services (native) but they wont be linked in to Qubes.
Similarly you cant expect features like qvm-copy.

1 Like

@unman thank you so much for your response, I’m sure you are busy and this is annoying, but it is of a lot of help to me, and I’ve put a lot of effort in today to try and get this working.

By following the advice in Configuring Networking in OpenBSD HVM - #10 by qubesnewb I have got to the point where the openbsd-21-sysnet launches and goes automatically right through to login & progresses on. I’ve set all my files such as mygate with the correct information according to that thread.

However I still get no response in my appvm → sys-firewall → openbsd → nic.

I just want to describe a few points about how I’ve got this setup and hopefully an error will be apparent to the tech geniuses.

I have OpenBSD-21-sysnet netvm as sys-firewall, sys-firewall as no-netvm (with the script in /rw/config with my specific gateway & dns & chmod +x it), sys-net as sys-firewall netvm.

When I ping 8.8.8.8 in openbsd-21-sysnet i get no response, but previous I have had “send mesg: can’t assign requested address”

ifconfig xnf0 in openbsd-21-sysnet returns flags 11addr index & this:

groups: egress
media: Ethernet manual
status: active
inet 10.137.0.20 netmask 0xffffff0 broadcast 10.137.0.255

In my OpenBSD template I have:

in /etc/hostname.xnf0:

inet 10.137.0.20 255.255.255.0
!route add -iface -cloning 10.138.31.54 10.137.0.20

in /etc/mygate

10.138.31.54

in /etc/resolv.conf

lookup file bind
nameserver 10.139.1.1

My openbsd-21-sysnet has:

IP: 10.137.0.20
Netmask:255.255.255.255
Gateway: 10.138.31.54
VirtualDNS 10.139.1.1

(Provides network set to false).

Integrate pfSense/OPNsense VM on QubesOS · Issue #1 · jcholsap/freemod · GitHub I have the script from here with gateway & dns set accurately.

Is there anything that stands out to you here as something I can pursue to troubleshoot this? Like I said I understand this is probably above my pay-grade, but it would be a great win to get this working and i’ve put in a lot of effort thanks to your notes & the guide built off of them.

What is providing those services? BSD is outwith the Qubes framework -
you can install services (native) but they wont be linked in to Qubes.
Similarly you cant expect features like qvm-copy.

Sorry, to clarify on this, I meant in my sys-firewall and sys-net vm’s. Obviously they had to be set in the disptemplate (duh) and so I cloned the template and enabled the services in the template for each, the only thing missing was qubes-yum-proxy. Do i need to install this myself? Or are the services not of critical importance?

Once again THANK YOU!!

When I run sh /etc/netstart in the openbsd-21 templatevm, I get “add host 10.138.31.54: gateway 10.137.0.20”

And the same is mentioned when openbsd loads. So isn’t that backwards? Isn’t my gateway 10.138..?

When I try to reverse the two in the ‘cloning’ section of my hostname.xnf0, I get
“add host 10.137.0.20: gateway 10.138.31.54: Network is unreachable”

Thanks again.

@unman If I can just ask one concise question of you:

Does ifconfig xnf0 returning 0xffffff0 netmask indicate that openbsd isn’t recognizing my netmask I set in hostname.xnf0 (255.255.255.0), or is that an expected output which doesn’t reflect the netmask openBSD is using?

Thank you greatly, and apologies for this thread :stuck_out_tongue:

Did You manege to make it work? I have the same issue.

Do you have the netmask 0xffffff0?

I thought that was the hex of 255.255.255.0, but it’s actually the hex of 255.255.255.240 (aka a /28 subnet).

I tried to manually set the netmask via hostname.xnfo to no success.

I will make an effort to try again soon @Szewcu but unfortunately I did such an awful job structuring this post and communicating my issues that I don’t think Unman see’s it as worth the effort to troubleshoot.

I’m going to try and set it up according to Unman’s notes on github rather than the guide I have, as there are some differences, and see if the issue persists.

I’m not giving up until I succeed with this though.

I’m not sure if the internet connection itself is established. I tried to ping 9.9.9.9 from my openBSD without success.

If the netmask wasn’t correctly configured, that would still mean you couldn’t pin 9.9.9.9 though right?

What does your ifconfig xnf0 say about the netmask?

my netmask is set to 0xffffff00. So it looks ok.

Ok. As I thought, I must have missed something obvious… I should configure also physical NIC during installation, not only xen network interface. Unfortunately there is some known problem with realtek NIC… so I’m spammed by “re0 watchdog timeout” and ethernet not working. I will try with wifi.

On wifi is even worse… even after I connected to internet using xen interface, downloaded wifi firmware and updated kernel and all packages, when I reboot and start with wifi card connected I have errors and then kernel panic. I think my journey into openbsd-sysnet ends here. Maybe I will check after sometime if the drivers will be updated.

Edited:
I create an issue since it looks like it is aproblem with Xen or Qubes not OpenBSD and firmware.

Hello everyone, I thought I would write here rather than start a new conversation.
I also have a networking problem on OpenBSD (no internet access; 0 packets received, 100 packets lost)
I have tried many different configurations, I have read the OpenBSD networking wiki, I have read all the threads (even the FreeBSD ones) about network configuration but I have not been able to set up internet access on OpenBSD.
I don’t want to make a sys-net based on OpenBSD (for now) I just want to have an OpenBSD HVM with internet access.
Here is my configuration provided by QubesOS:

sys-firewall (not based on a dispVM)

ip : 10.137.0.7
netmask : 255.255.255.255
gateway : 10.138.30.193
virtual dns : 10.139.1.1, 10.139.1.2

OpenBSD: (I did not check the ‘provide network’ box)

ip : 10.137.0.28
netmask : 255.255.255.255
gateway: 10.137.0.7
virtual dns : 10.139.1.1, 10.139.1.2

Here is what I put in /etc/hostname.xnf0

inet 10.137.0.7 255.255.255.0

I tried to put

!route add -iface -cloning 10.137.0.7 10.137.0.28

because my sys-net is based on dispVM

Here is what I put in /etc/mygate

10.137.10.7

Here is what I put in /etc/resolv.conf

nameserver 10.139.1.1
nameserver 10.139.1.2

Any idea where I fu** up ?
I’ve been on this problem for a few months now trying and trying and trying other configurations but I haven’t succeeded. I’m starting to get knots in my brain and I’m thinking that I’m not seeing something obvious.
Thank you in advance for your time in helping me !

Try with:
/etc/hostname.xnf0
inet 10.137.0.28 255.255.255.0

/etc/mygate:
10.137.0.7

/etc/resolv.conf:
nameserver 10.139.1.1

This hack with cloning is only needed when your netvm and vm are inseparate subnets. For me that config like I wrote just works.

1 Like

my savior is here i guess, it’s working … thanks
much love honestly …

by any chance would you know the "!route add -iface -cloning 10.137.0.7 10.137.0.28
" equivalent for FreeBSD ?
I m using a dispVM for sys-firewall and i m having issues with a freebsd HVM