Hi Max, so it looks like you started getting complicated quick. I think your first attempt should be fine actually, with one modification.
1) insert a rule at the top of the forwarding table (above 3) accepting connections between the two, as you did 2) try an 'arping' command between the two and you'll probably see no response -- in which case, turn on 'proxy_arp' for each of the interfaces in question in the firewall: sysctl -w net/ipv4/conf/vifX.0/proxy_arp=1 <= where vifX.0 are the interfaces to the VMs you want to network Then if you do 'arping' it should return the broadcast MAC (fe:ff:ff:ff:ff:ff) and the firewall should route packets between your VMs. Hope that's helpful, cheers, =D On Sun, Oct 23, 2016 at 2:11 AM, Max <maxtannah...@gmail.com> wrote: > Hi, > > I am a new user of Qubes OS so apologies in advance if the question here > has been answered already in a separate topic (there are similar issues) > and I haven’t discovered this or it is not one suited to this mailing list. > I am running Qubes 3.2 and attempting to ping from one VM to another VM, > specifically from a Standalone Windows 7 VM to a Qubes VM based on the > Debian 8 template. > > All my VM’s were initially connected in the default manner i.e. to a > sys-firewall and through to the sys-net VM, both of which are Fedora 23. > There are no firewall rules on these VMs restricting which IP addresses can > be accessed. > > Current status: > - I am able to ping from my Windows 7 VM (10.137.2.19) to the Firewall VM > (10.137.1.8) using the IP address visible in the VM Manager > > - I am unable to ping the Debian 8 VM (10.137.2.18) from my Windows VM. > > Steps taken: > 1) I followed the instructions here (https://www.qubes-os.org/doc/ > qubes-firewall/#enabling-networking-between-two-vms) and in the firewall > VM’s terminal enter the following iptables rule... > > sudo iptables -I FORWARD 2 -s <IP address of Windows 7 VM> -d <IP address > of Debian 8 VM> -j ACCEPT > > … In VM B’s terminal (Debian 8) I entered the following iptables rule... > > sudo iptables -I INPUT -s <IP address of Windows 7 VM> -j ACCEPT > > ...but from here when using the ping function to my Debian 8 VM in the cmd > prompt in Windows, all packets were lost. > > 2) As this was not successful I attempted to see if I could connect to VMs > from an external machine and followed the instructions here > https://www.qubes-os.org/doc/qubes-firewall/#port- > forwarding-to-a-vm-from-the-outside-world. > > The Eth0 IP address (192.168.1.6) appeared to be what I should expose the > service to. > > I put the below rule in the sys-net VM’s Terminal... > > iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -d 192.168.x.x -j > DNAT --to-destination 10.137.1.x > > ...and this rule into the sys-firewall VM’s Terminal > > iptables -I FORWARD 2 -i eth0 -d 10.137.1.x -p tcp --dport 443 -m > conntrack --ctstate NEW -j ACCEPT > > But using ping or Telnet resulted in lost packets and failed to increase > the counters when using the iptables -t nat -L -v -n command in the > sys-firewall VM's terminal. > > 3) With this not being successful either I attempted to add a “sys-proxy” > VM as described here https://groups.google.com/ > forum/#!searchin/qubes-users/intervm%7Csort:relevance/ > qubes-users/lA2SgPcV9fU/U969uapYAAAJ and entered the following in the new > sys-proxy VM's terminal: > > iptables -I FORWARD 1 -i vif+ -o vif+ -s $intervm_internalnet/24 -d > $intervm_internalnet/24 -m state --state NEW -p tcp -m tcp -j ACCEPT > > iptables -I FORWARD 1 -i vif+ -o vif+ -s $intervm_internalnet/24 -d > $intervm_internalnet/24 -p udp -m udp -j ACCEPT > > After this, I was still unable to ping the Debian 8 VM from my Windows VM. > > Questions: > > 1) Are there any obvious errors in the steps I took and does anyone have > any suggestions how I can resolve this issue? > > 2) There are a number of other incidences of what seemed to be a similar > issue here: https://groups.google.com/forum/?nomobile=true#!msg/ > qubes-users/59kOjfQFBI4/bjS47-jJJgAJ, https://groups.google.com/ > forum/#!msg/qubes-users/vSyUaOSloYU/ONZNJlhrBAAJ. Are the enabling > networking between VMs steps described here still correct and applicable > for Qubes 3.2? > > 3) The IP address assignment suggests that the VMs are on the same network > – the Subnet Mask is 255.255.255.0 so surely any devices with an IP address > of 10.137.2.x would be able to communicate with each other? What is unique > in Xen / Qubes that stops this? > > 4) Is there a way in which the current routing rules can be displayed and > reset back to the default if required? > > -- > You received this message because you are subscribed to the Google Groups > "qubes-users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to qubes-users+unsubscr...@googlegroups.com. > To post to this group, send email to qubes-users@googlegroups.com. > To view this discussion on the web visit https://groups.google.com/d/ > msgid/qubes-users/0514e15b-950e-4636-95f7-849fc5671fc1%40googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAGq7KhoPKDhmbMjwVD0QRz6d0nFLngaN6YJeYYkAPm%3D7hKP%2BYQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
