Restricting access to home-network be default - Guestnetwork setting

kcosmus · January 29, 2026, 9:10pm

Hi,
I would like to generally restrict access to my home network (like a guest network setting). So that my default qubes are isolated from other devices in the network but have internet access.
I already set up a qube who is the opposite and only have access to devices on the network but not to the internet (for access to home cloud, printer etc.)

I would like your opinions and experiences on that matter.
Is that whole idea necessary? If you do something similar how do you do it?
Do you use the firewall rules or a VPN qube or something else?

Thanks in advance!

Atrate · January 29, 2026, 9:43pm

There’s a feature request about this:

github.com/QubesOS/qubes-issues

Make it easy to block all private network access from VMs (and maybe make this default)

opened 12:50AM - 24 Feb 25 UTC

DemiMarie

ux security P: default C: networking

### The problem you're addressing (if any) Local networks often contain devices…, such as printers and routers, that are not sufficiently protected against malicious network activity. Therefore, VMs that do not need access to local networks should not have such access. iOS already enforces this restriction. Doing this manually is hardly realistic, as the needed rule list is too long: ``` dsthost=0.0.0.0/8 action=drop dsthost=10.0.0.0/8 action=drop dsthost=100.64.0.0/10 action=drop dsthost=127.0.0.0/8 action=drop dsthost=169.254.0.0/16 action=drop dsthost=172.16.0.0/12 action=drop dsthost=192.0.0.0/24 action=drop dsthost=192.0.2.0/24 action=drop dsthost=192.168.0.0/16 action=drop dsthost=198.18.0.0/15 action=drop dsthost=198.51.100.0/24 action=drop dsthost=203.0.113.0/24 action=drop dsthost=224.0.0.0/4 action=drop dsthost=240.0.0.0/4 action=drop dsthost=::/96 action=drop dsthost=::/128 action=drop dsthost=::1/128 action=drop dsthost=::ffff:0.0.0.0/96 action=drop dsthost=100::/64 action=drop dsthost=2001:10::/28 action=drop dsthost=2001:db8::/32 action=drop dsthost=3fff::/20 action=drop dsthost=fc00::/7 action=drop dsthost=fe80::/10 action=drop dsthost=ff00::/8 action=drop # Teredo dsthost=2001::/40 action=drop dsthost=2001:0:a00::/40 action=drop dsthost=2001:0:6440::/42 action=drop dsthost=2001:0:7f00::/40 action=drop dsthost=2001:0:a9fe::/48 action=drop dsthost=2001:0:ac10::/44 action=drop dsthost=2001:0:c000::/56 action=drop dsthost=2001:0:c000:200::/56 action=drop dsthost=2001:0:c0a8::/48 action=drop dsthost=2001:0:c612::/47 action=drop dsthost=2001:0:c633:6400::/56 action=drop dsthost=2001:0:cb00:7100::/56 action=drop dsthost=2001:0:e000::/36 action=drop dsthost=2001:0:f000::/36 action=drop # 6to4 dsthost=2002::/24 action=drop dsthost=2002:a00::/24 action=drop dsthost=2002:6440::/26 action=drop dsthost=2002:7f00::/24 action=drop dsthost=2002:a9fe::/32 action=drop dsthost=2002:ac10::/28 action=drop dsthost=2002:c000::/40 action=drop dsthost=2002:c000:200::/40 action=drop dsthost=2002:c0a8::/32 action=drop dsthost=2002:c612::/31 action=drop dsthost=2002:c633:6400::/40 action=drop dsthost=2002:cb00:7100::/40 action=drop dsthost=2002:e000::/20 action=drop dsthost=2002:f000::/20 action=drop ``` This long rule list was generated by a Python script rather than being written by hand. ### The solution you'd like Provide a simple “allow local network access” toggle that enforces the above filtering automatically. If a VM has the toggle set, the GUI will prompt the user whether to allow its NetVM do this, and will do so transitively for all NetVMs up the chain. Explicit allow rules in the firewall policy should override this. Changing the default for existing VMs is a backwards incompatible change and will need to wait for R5.0, but it might be possible to default to no for newly created VMs. In any case the default should be overrideable via global config. ### The value to a user and who that user might be Users will be able to protect themselves from VMs interacting with equipment on the local network without their permission. ### Completion criteria checklist _No response_

lars-qubes · January 29, 2026, 9:50pm

The cleanest and easiest way that scales well is to avoid setting firewall rules inside each individual qube (that gets messy fast once you have more than a few).

Instead, create two separate network-providing VMs (NetVMs) and control everything from dom0 with qvm-firewall.

One is “sys-internet” and connects via sys-firewall and sys-net to the internet but can’t access your local LAN because firewall settings disallow it.

The other one is “sys-LAN” which does the exact opposite.

Advantage: just connect AppVMs to the desired NetVM and it’s done.

qubist · January 30, 2026, 4:44pm

@kcosmus

Complete isolation would require VLAN setup. The subject is not simple and off-topic to Qubes. You should better ask on some networking forum.

Is that whole idea necessary?

Depends on your actual goal.