Vpn via firewall

Hello,

Currently, I have the following configuration:
sys-net -> sys-firewall - > {some vm list, referred as ListA}
sys-net -> vpn-vm -> {some vm list, referred as ListB}
In vpn-vm I have NordVPN. In the current configuration, ListB has VPN and works.

However, if I change the vpn-vm settings to the following:
sys-net -> sys-firewall - > vpn-vm -> {some vm list, referred as ListB}
I get no internet access in ListB.

Question. How to implement the following scheme:
sys-net -> sys-firewall - > vpn-vm -> company-firewall - > {some vm list, referred as ListB}

NB. I have read https://www.qubes-os.org/doc/firewall/ but not able to implement the theory to my problem
NB: sys-firewall has the default configuration. I did not change anything in its default configuration.
NB: qubesos 4.0-8, Fedora32 Template

Thank you.

[user2] user2 https://forum.qubes-os.org/u/user2
December 14

Hello,

Currently, I have the following configuration:
sys-net -> sys-firewall - > {some vm list, referred as ListA}
sys-net -> vpn-vm -> {some vm list, referred as ListB}
In vpn-vm I have NordVPN. In the current configuration, ListB has VPN
and works.

However, if I change the vpn-vm settings to the following:
sys-net -> sys-firewall - > vpn-vm -> {some vm list, referred as
ListB}
I get no internet access in ListB.

If you don’t have any special rules in sys-firewall yet, then this
should just work.

Question. How to implement the following scheme:
sys-net -> sys-firewall - > vpn-vm -> company-firewall - > {some
vm list, referred as ListB}

NB. I have read https://www.qubes-os.org/doc/firewall/
https://www.qubes-os.org/doc/firewall/ but not able to implement the
theory to my problem
NB: sys-firewall has the default configuration. I did not change
anything in its default configuration.
NB: qubesos 4.0-8, Fedora32 Template

Thank you.

I tried your sys-net -> sys-firewall - > vpn-vm -> some vm config
and it works OK for me (although I’m using 4.1 alpha right now). Another
difference is the two rightmost VMs are using a Debian 10 template.

You should check for DNS issues since that is probably the most common
way a Qubes VPN experiences blockage (if you try pinging some known IP
addresses directly and they go through, that would suggest a DNS problem).

If you’re running tests through your company firewall and it is
proprietary or configured for a Linux client then that may also be a
problem.

Thank you for your reply.

Let’s consider the current “vpn” chain:
sys-net -> vpn-vm -> {some vm list, referred as ListB }

sys-net: ping works, 5-7 ms.
vpn-vm: internet works, can browse webpages, but ping does not work.
vm in listB: internet works, can browse webpages, but ping does not work.

Does this already suggest a DNS problem? Is there a standart/easy way to resolve this?