So I have a appVM that I use for torrenting. It’s based on debian-10-minimal (deb-min) and has the minimal amount of packages needed (torrenting software, RSS, Firefox, qubes-core-agent-networking) along with Tasket’s qubes-vm-hardening.
It worked fine for several months before its internet connectivity suddenly vanished, without any changes to the template, the firewall, or the appVM itself beforehand. This persisted across VM and Qubes OS restarts. All the while, network connectivity in other deb-min templates and whonix templates was fine.
This issue showed up again with a fresh appVM based on the same template, and also with fresh deb-min templates with the packages re-installed. Across my many attempts, internet connectivity was sometimes available at first, but then drops off and never returns even after restarting the appVM.
Switching to fedora-32-minimal (fed-min) gave inconsistent results, but was eventually fine. What bothers me is the inconsistent results at first, even for fed-min. I suspect this whole issue has something to do with how Xen/dom0 manages networks. By the way, I use Mirage firewalls.
The problem has been resolved, but is still cause for concern, which is why I’m posting this write-up here. I should mention that another user had a similar issue with fed-min (No internet in fedora-32-minimal) but didn’t specify whether he was using 4.1 or not.
There were some issues with Debian 10 in connection with sys-net but I don’t know if that’s what you’re experiencing.
Did you compile the Mirage firewall with the template script or with docker (or copy it from 4.0)?
I’ve been using Mirage firewalls in 4.0 but building failed in 4.1 each time I tried (the last time is a while ago).
I saw those threads but they don’t seem to apply to deb-min appVMs, which is what I’m using. On top of that, the issue sometimes affects fed-min appVMs while my other deb-min appVMs are working fine.
For 4.1 I just downloaded the compiled kernel (tar.bz2) straight from Github and shoved it into dom0, then followed the rest of the instructions. Saves a lot of time and is less risky than taking all the steps to compile it yourself (in my uninformed opinion).