Hello, I have qubes connected to a trunk port in my switch, and would like to configure multiple VLANs support on sys-net, where each vlan interface is assigned to a custom sys-firewall to restrict AppVMs network access to their sys-firewall vlan. Here’s a diagram of what I’m trying to accomplish:
I’ve searched around but so far didn’t find any guide to work on this, I see many related scripts in /etc/xen/scripts but would like any insight in how to use these both in sys-net & sys-firewallX to accomplish this (Untagged traffic would be removed by bringing the main interface off).
Just to clarify, was a trunk link established between the end-device (sys-net) and the switch? If yes, what kind of NIC do you have?
Yes, ethernet adapter
How many network controllers do you have?
1
Why would you want sys-net handling trunking?
To have multiple sys-firewall, each one attached to one VLAN interface so I can isolate AppVMs connected to these sys-firewall to their specified VLAN.
What’s the current state of your setup? Do you have net access?
Have you done any kind of dot1q encapsulation in your sys-net or is it supposed to be natively supported by your NIC?
Generally speaking, trunking on an end-device is not a great idea, so perhaps, depending on your situation, it may be worth exploring purchasing a second NIC and attaching it to a different sys-net vm. That way you’d be effectively separating VLAN traffic into two different vms (sys-net-10 and sys-net-20).
What’s the current state of your setup? Do you have net access?
Yes, network works fine using untagged traffic for both sys-* and appvms
Have you done any kind of dot1q encapsulation in your sys-net or is it supposed to be natively supported by your NIC?
I can configure VLANs using NetworkManage and they work correctly on sys-net
Generally speaking, trunking on an end-device is not a great idea, so perhaps, depending on your situation, it may be worth exploring purchasing a second NIC and attaching it to a different sys-net vm. That way you’d be effectively separating VLAN traffic into two different vms (sys-net-10 and sys-net-20).
Yes, although in this model sys-net wouldn’t be just an “end-device” as it would provide vlans similar to how the switch is doing it (sys-firewall* would deal only with untagged traffic). For a 2nd nic, I already tested with an external adapter and it worked, however I have way more than 2 VLANs to configure in sys-net (diagram was just a simple example), so can’t go using that route.
Just covering the basics here, sorry if it’s obvious: he indicates to place scripts in /rw/config/rc.local and /rw/config/qubes-firewall-user-script. If your sys-net is a DispVM you’ll need to edit the dvm-template which sys-net is based on, otherwise they won’t be there after a reboot.
Seems I was using sys-net vif ip address instead of sys-firewall eth0 ip address, but I also see that I need to “disconnect” from untagged connection. After doing these 2 changes things work correctly on sys-firewall and its connected appvms.
Will play a bit more and provide some documentation for others in need of a similar setup.