Hi,
I’m missing something for the firewall part.
I have my AppVM running on a Sys-vpn VM to have a VPN connection as
I have IPv4 settings any other AppVM and I would like to access SSH to another device in my local network (on top of Qubes: 192.168.1.x for example) but no chance 
I don’t see any firewall rules that limit me to ping a local machine?
Any hints?
Thanks,
The safest way to make an exception for accessing your LAN is to setup
an appVM for your LAN-oriented tasks and connect that appVM to
sys-firewall instead of sys-vpn.
Thanks for the reply.
Let’s say I have a personal appVM I use for Google Photos or Facebook or whatever (people still share stuff there
I want to be behind my sys-VPN
However, if I download an archive, 3GB photos, I need to back it up and therefor I need local network access.
It’s not convenient to move to other appVM 
For now, I shutdown outgoing Internet connection of my AppVM, set to sys-firewall, back everything up, move back to sys-vpn…
I would prefer this appVM has SSH right to local network -_-
Thanks,
The drawback of this approach is that you may forget to set it back (at least I know do).
I agree with @tasket - keep your VPN and non-VPN connections separate.
Assuming you have a standard LVM setup, an alternative is to create a snapshot of your photos AppVM volume, mount it in your local AppVM, backup, and then umount & delete the snapshot. SSH not needed.
HTH.
I forgot the specifics, but the general method to allow this in sys-vpn
is to find out which vif is currently being used by the appVM, then
insert an iptables rule at the top of the FORWARD chain to accept
packets coming from the vif and going to eth0.