Is it ok if I make my sys-firewall to randomise Mac adress?
When I make this on my sys-net or in network manager settings it disappeares cause sys-net is disposable.
I want to randomise Mac on the all cubes.
Is it possible this way?
And if I have random Mac on my cube setup does that interfere with sys-firewall Mac randomisation?
Thanks in advance 
This will not help you, as this will not affect the MAC address, that the network will see.
You can do this without a disposable sys-net. (However you can do it also with a disposable sys-net, but you have to do the modifications in your template)
Oh, and you are probably also interested in host name randomization, that also is described in the link.
I want my sys-net to be disposable cause of security reasons.
Is it possible to add startup command to dom0 to spoof Mac and hostname also on sys-net/network manager on every boot? If it is what should it look like?
For example to send my already set up 99-default.link file located in dom0 files to sys-net lib/systemd/network/ and owerwrite existing file.
Same thing for hostname anon
I don’t want to get tangled in qubes while doing this. I want minimal qubes setup.
I edited my post, it is also possible to do this with a disposable sys-net. however you must modify the template, an the modifications to the normal AppVM must be done in you sys-net-dvm-template.
Technically possible yes, but you loose some features, like randomization on every reconnect. Also i think this is more hacky than the normal approach.
I think you best bet would be then, to do nothing. Qubes 4.1 has MAC randomization (only for Wifi tho) already on board per default.
There’s nothing in sys-firewall for randomization, since there is no device there, unless you attach it, which would be unwise.
That is great to hear. So I will stick to wireless network. And my problem is solved for mac rnd
But what about hostname anon for wifi
The link you provided goes only for non disposable sys-net/network manager if I saw correctly.
It would be sufficient to me to have hostname anon on my vpn qube.
Can in do this by adding this instruction from your link and required file to my vpn template?
It has no net manager therefore no .nmconnection file that is needed for setup. Does adding this file to template help or does if get overwritten on every start?
Am I understanding this correctly?
(Instructions from your link)
Edit the saved connection files at /rw/config/NM-system-connections/*.nmconnection
and add the dhcp-send-hostname=false line to both the [ipv4] and the [ipv6] section.
I read in the md, that it is not a problem for the stuff qubes uses per default.
No. Any obfuscation for MAC adresses, hostnames or other network stuff that you want the outside of your laptop to see, musst be done in sys-net that actually holds the physical network device. (Besides Tor, Tunneling, VPNs)
technically yes, but i think you overlooked the “DHCP is also solved” comment on the first line of the document. So you can remove your modifications again. Sorry for not being clear, last time i read this thing was with older Qubes Versions where this was not fixed/clear.
Thank you for clarifying this to me. Sorry for the milion questions
I want to understand and learn all this properly.
I am only using qubes for a few days and I am not leaving. I love how the system is so simple but yet so complicated at the same time. And secure.
So i am definitely staying with qubes as my daily driver.
No problem 
We have all been there, and networking in qubes is especially complicated (i would argue maybe even the most complicated part).
So why this would only work on sys-net, is because it has the physical hardware. All other qubes only have virtual hardware. So if you change your mac adress in sys-firewall, your sys-net (and the qubes attached to sys-firewall) will see a different MAC for it, but will use it’s own for the hardware.
Tor browser sees its mac and the one of sys-whonix, sys-whonix the one of tor browser and the one of sys-firewall, but not of sys-net, which sees only sys-firewall but no sys-whonix anymore and so on. Each hop you cannot see the MAC of the previous hop anymore, to put it simply.