Stupid question,
Did you enable sys-firewall in your templateVM qubes?
Every article I’ve read casually describes installing software in TemplateVMs… while the default TemplateVMs don’t have networking enabled.
My guess is that templateVMs don’t have networking for a good reason, but I’m struggling to reason about best practices for setting up my AppVMs.
The Templates have no networking enabled to discourage users from using
them for any purposes other than installing software to be used in
Template based qubes.
Templates connect to a proxy using qrexec, which allows them to download
and install packages without themselves being network connected.
You can (ab)use that proxy for other purposes - installing PGP keys, git
updates, etc.
The mechanism is covered in the fine documentation at:
Although that page refers to temporarily enabling networking this is
almost never necessary. There is always another way.