VLAN configuration on sys-net & multiple sys-firewall

Hello, I have qubes connected to a trunk port in my switch, and would like to configure multiple VLANs support on sys-net, where each vlan interface is assigned to a custom sys-firewall to restrict AppVMs network access to their sys-firewall vlan. Here’s a diagram of what I’m trying to accomplish:

sys-net (VLAN 10 & 20) -> vif-vlan10 -> sys-firewall-vlan10 -> AppVM1 (vlan10)
                                                               AppVM2 (vlan10)
                       -> vif-vlan20 -> sys-firewall-vlan20 -> AppVM3 (vlan20)

I’ve searched around but so far didn’t find any guide to work on this, I see many related scripts in /etc/xen/scripts but would like any insight in how to use these both in sys-net & sys-firewallX to accomplish this (Untagged traffic would be removed by bringing the main interface off).

Just to clarify, was a trunk link established between the end-device (sys-net) and the switch? If yes, what kind of NIC do you have?

How many network controllers do you have?

Why would you want sys-net handling trunking?

If you elaborate a bit, there may be a way to avoid this all-together.

Just to clarify, was a trunk link established between the end-device (sys-net) and the switch? If yes, what kind of NIC do you have?

Yes, ethernet adapter

How many network controllers do you have?

1

Why would you want sys-net handling trunking?

To have multiple sys-firewall, each one attached to one VLAN interface so I can isolate AppVMs connected to these sys-firewall to their specified VLAN.

What’s the current state of your setup? Do you have net access?

Have you done any kind of dot1q encapsulation in your sys-net or is it supposed to be natively supported by your NIC?

Generally speaking, trunking on an end-device is not a great idea, so perhaps, depending on your situation, it may be worth exploring purchasing a second NIC and attaching it to a different sys-net vm. That way you’d be effectively separating VLAN traffic into two different vms (sys-net-10 and sys-net-20).

My .02$

What’s the current state of your setup? Do you have net access?

Yes, network works fine using untagged traffic for both sys-* and appvms

Have you done any kind of dot1q encapsulation in your sys-net or is it supposed to be natively supported by your NIC?

I can configure VLANs using NetworkManage and they work correctly on sys-net

Generally speaking, trunking on an end-device is not a great idea, so perhaps, depending on your situation, it may be worth exploring purchasing a second NIC and attaching it to a different sys-net vm. That way you’d be effectively separating VLAN traffic into two different vms (sys-net-10 and sys-net-20).

Yes, although in this model sys-net wouldn’t be just an “end-device” as it would provide vlans similar to how the switch is doing it (sys-firewall* would deal only with untagged traffic). For a 2nd nic, I already tested with an external adapter and it worked, however I have way more than 2 VLANs to configure in sys-net (diagram was just a simple example), so can’t go using that route.

I’ve found https://groups.google.com/g/qubes-users/c/QABazz-NcEc/m/S20NyHqWAAAJ where @unman explains this is possible, however I tried his provided iptables script but can’t get the attached sys-firewall to send/receive traffic.

Ahh understandable.

Just covering the basics here, sorry if it’s obvious: he indicates to place scripts in /rw/config/rc.local and /rw/config/qubes-firewall-user-script. If your sys-net is a DispVM you’ll need to edit the dvm-template which sys-net is based on, otherwise they won’t be there after a reboot.

Seems I was using sys-net vif ip address instead of sys-firewall eth0 ip address, but I also see that I need to “disconnect” from untagged connection. After doing these 2 changes things work correctly on sys-firewall and its connected appvms.

Will play a bit more and provide some documentation for others in need of a similar setup.

Thanks @BEBF738VD for your time.