Having a little trouble reimagining my old system into an effective Qubes system.
In my old system I had 16 VMs for different functions, including a ‘router’ vm. This had three NICs: one to The Internets, one to the LAN, and one to the DMZ. This router strictly funneled traffic to only those places it was allowed and only allowed necessary ports using nftables.
-
I note that Qubes has a network instance which holds all the interfaces. This seems to defeat the isolation of the LAN and DMZ from The Internets. Can I/ should I make three network instances?
-
Another VM was for Wireguard and DNS service to the LAN. This had an outWG interface to ProtonVPN, and an inWG interface so remote devices could seamlessly and securely connect to my LAN and the VPN. I guess I’d make a VPN server instance, but this creates a WG interface. Would this be a network instance? How would I install unbound into this? Unbound pretty much has to be in the same instance as WG.
-
Now, so that daemons do not disappear with each reboot I must install the daemons in the source template. This could mean that all the daemons in my 16 old VMs would be installed into one source template! All instances using that template could run any of the daemons, which doesn’t make sense. I realize that the template would be read-only, but this is not partitioning. What’s up with that? How do I handle it?
-
Outside of my old herd of KVM VMs in the server, there are separate LAN machines, like laptop, backups server, cameras server, etc, each of which accessed services provided by server VMs through dedicated LAN IPs/NICs. I can see how Xen instances can communicate through the hypervisor, but how do LAN machines access daemon instances in the Xen server?