Very weak internet on AppVM connected directly to sys-firewall

I’ve been using Qubes 4.0.x for over a year. I have a handful of network VMs setup:

  • the default sys-net
  • the default sys-firewall
  • the default sys-whonix
  • a sys-protonvpn VM I setup

I’ve been able to access internet fine via all network VMs (I never use sys-net directly FWIW), except for this morning. I can still connect to internet on AppVMs using sys-whonix or sys-protonvpn network VMs. However, for AppVMs that connect directly to sys-firewall, they are now unable to get internet connection.

The sys-firewall VM seems to be working normally? Otherwise the sys-whonix connection should not work. There are no firewall rules set up. The VM is running, updated…

How do I begin troubleshooting this?

Maybe it’s related to browser configuration ? can you ping google in app vm that connect into sys-firewall network ?

Do AppVMs connected directly to sys-net work? Isn’t sys-whonix connected to sys-firewall?

sys-vpn is not connected to sys-firewall? Is it a clone from sys-firewall? If I forget and leave the permanent killswitch on, it blocks all connections to sys-vpn.

sys-vpn connects to sys-firewall.

Internet works on AppVMs connected to sys-vpn

Internet does not work on AppVMs connected to sys-firewall

This is very confounding and exactly why I opened this issue.

NOTHING connects directly to sys-net, except for sys-firewall.

This is not a browser issue - it’s VM wide. For AppVMs connected to sys-firewall, I get no internet on any apps, such as Firefox, Slack, terminal, etc. UPDATE - THIS IS NOT ACCURATE. SEE BELOW POST. I get “very little” internet…

Hope that clears up my current state.

Maybe at one time you added specific ip addresses to sys-firewall that only allow sys-vpn through?


I misspoke above - I actually can ping from an AppVM connected to sys-firewall (I only have 1 such AppVM FWIW). All other applications on this AppVM requiring internet are timing out though. For example, Firefox, Slack, and Zoom are timing out.

Is it some sort of intra-VM bandwidth issue then?

Not the case in this instance.

Turns out I do have some internet. I can ping IP addresses from the terminal. But no apps that require internet are functioning (Firefox, Slack, Zoom).

how if build a new appvm, will that do ?

I’ve just launched a fresh disposable VM (fedora 33), changed networking to connect to sys-firewall. I am having the same issue. Timeout when trying to connect to in Firefox.

What you you rebuild it? sudo qubesctl state.apply qvm.sys-firewall

Sorry, could you elaborate?

Should I run this from dom0?

What is this supposed to do? I’m concerned because my other net VM (sys-whonix and sys-vpn) and all the AppVMs that rely on them are still working.

dont use disp vm, but create a new appvm instead or DVM (disposable template vm) then disp vm based on DVM.

I created a new standalone VM, based on the Fedora 33 template, with sys-firewall networking.

Still have the same issue: timeout when trying to connect to, while ping still works.

first renaming sys-firewall to sys-firewall-1 then could you rune sudo qubesctl state.apply qvm.sys-firewall run it in dom0, then change networking new standalone vm to sys-firewall that you created recently, will that do ?

I did it. Same result :weary:

I backed up my sys-firewall by renaming it to sys-firewall-1.

I created a new netvm with sudo qubesctl state.apply qvm.sys-firewall from dom0. I connected my new standalone AppVM (based on Fedora 33) to sys-firewall. I still have same networking experience: I can ping from AppVM, but connection to webpage in Firefox is timed out.

I discovered the issue. It has to do with some home networking change we made recently. My Qubes OS laptop is connected to internet through Ethernet cable, but it also has a WiFi adapter. Recently we changed the settings on one of our WiFi networks.

When my laptop restarts, it automatically connects to remembered networks - however, this remembered network does not have the same route as before. Effectively, my Qubes OS laptop is now connected to 2 networks. This is an accident. I only mean to use my wired Ethernet connection. When I disconnect the sys-net connection to the stale WiFi network, then sys-firewall and AppVMs connected to sys-firewall work normally.

Still, I cannot explain the following, although the work-around (just disconnect / forget the old WiFi network) is satisfactory:

  • Why did ping work, but not other network connections such as Firefox?
  • Why did sys-vpn not care about that stale WiFi network, while sys-firewall tried to use it?

I’m not necessarily looking for an answer to above, but these are some of the things that tripped me up, no doubt.

Sorry for the confusion. Thanks for the help troubleshooting @51lieal and @joe.blough!

1 Like

DNS problem maybe, and you can separate wifi network and ethernet network if you want.

Just clone sys-net and remove ethernet pci from sys-net and remove wifi pci from sys-net-clone.

I am having the exactly same problem, but I did not change any settings in my network.

I cannot access anything in the internet by using sys-firewall, except for pinging

If I try to access the internet using sys-net directly I get the error message: “Failed to parse rules for IP, blocking traffic”, so this does not work either.

The problem occured when I restarted my sys-net and sys-firewall this evening. I often had to do this, because of sys-net not connecting to the internet, but I never had any problems doing so.

How did you disconnect sys-net from the stale wifi network? I removed the network via the panel applet and set it up again, but this did not do the trick, as well as everything else mentioned above.

Ok, I solved this one. I do not know what my problem was, but reinstalling sys-firewall AND sys-net did work.