[SOLVED] AppVM has no ping, sys-firewall and sys-net do have ping

Hi all,

Read here in the forums, in documentation, and elsewhere, but either couldn’t find the right information, or I didn’t recognize it as such due to lack of skills and knowledge.

I want to use Chromium for un-torified access to a few web pages that I must access but which block torified traffic. I want to confine Chromium to its own AppVM.

I have created a VM template and installed Chromium in it.
I have created an AppVM with Chromium in it.

Sys-net is the net Qube of sys-firewall.
Sys-firewall is the net Qube of the AppVM.

Ping in sys-net works fine.
Ping in sys-firewall works fine.
Ping in the AppVM doesn’t work.

What am I overlooking?

If you need to know anything else to be able to help me, please tell me.

I still have quite a few questions at this early time in my Qubes journey. Doing my best to help you help me…

Have a peaceful day :slight_smile:

Jack

If I connect the AppVM to sys-whonix, Chromium in the AppVM has internet access just fine.

But for this VM I need un-torified internet access, so this isn’t a solution.

I don’t understand why it isn’t working via sys-net / sys-firewall.

Ok this is weird. I set the AppVM to sys-whonix, Chromium in the AppVM worked.

Then I went here (in Tor Browser, via sys-whonix as well, different AppVM), and made above post.

Then I tried Chromium in the AppVM again, like I just did before, and now it’s not working anymore, again.

I hope some of this helps to help me solve this.

You say you want chromium un-torified. Why are you bothering with Whonix
at all? Switching netvm is not helpful here.
Does ping work in a vanilla qube using the base (full) template?
Have you tried ping using both names and IP address? (9.9.9.9 is good
target)
What template did you use for the chromium template?

I never presume to speak for the Qubes team. When I comment in the Forum or in the mailing lists I speak for myself.
1 Like

Hi, thanks heaps for helping.

I probably didn’t explain that part very well:

Ultimately I don’t want Chromium via whonix, I just tried to connect it through sys-whonix just to see if that would work.

And Chromium on sys-whonix did work.

But only until I used Tor Browser via sys-whonix the next time; after that, Chromium on sys-whonix did not work anymore.

To me it looks like there is some interaction happening there that shouldn’t be happening - surely I should be able to run two different browsers on two different VMs via sys-whonix?

Not sure if this issue can have anything at all to do with the question why Chromium via sys-net and sys-firewall doesn’t work, but wanted to mention this in case it’s helpful.

I’ll address your other questions in my next post.

I assume by this you mean does ping work when I try it in the template that the AppVM is based on itself?

Tested that just now.

Ping www.google.com “Temporary failure in name resolution”. Ping 9.9.9.9 “Destination port unreachable”.

Same with sys-net and sys-firewall.

If that’s not what you meant, could you please clarify for me?

Umm now that you ask that question… whonix-ws-16. Now it’s beginning to dawn on me that that is probably the reason - because that template only wants to access the net via sys-whonix, correct?

So I redid it all, this time based on debian-11. And now Chromium works just fine via sys-firewall and sys-net.

I am really sorry, I still keep tripping over my own feet… thank you for bearing with me and helping me untangle myself!!

When first starting Chromium in that new VM it prompted / forced me to choose a password for a new keyring. Would you be able to point me in the direction of what key ring exactly that is? Then I’ll read up on it myself from there.

So does this mean that if I want to use sys-whonix for net access in a VM, I need to use whonix-ws-16 as the template; and if I want to just use sys-firewall and / or sys-net, use debian-11 as the template? In a nutshell? Or is this an over simplification?

That’s an oversimplification.
You can set netvm for any qube to be sys-whonix and traffic will run
through Tor, regardless of template used.