On Thu, Feb 23, 2017 at 03:09:20AM -0800, Jarle Thorsen wrote: > Unman: > > Jarle - there are a few things you could do. One of them would be to > > distribute a static route using your DHCP server - implementing > > a classless static route if your server supports it would be best. You > > would need to put the external iface of the netVM as the gateway to the > > internal 10.137.0.0/16 network. This won't be easy with DHCP unless you > > put a reservation in place. > > > > Alternatively you use proxy arp on the external interface of the netVM, > > as you suggest. You don't need it on the vif interfaces because you > > have the relevant routing information in the netVM. (As you are > > connecting qubes directly to the netVM these routes will be set up > > automatically. You can check this with 'ip route' - If you DID use a > > firewall you would need to add a static route on the netVM with the fw > > as gateway to the qubes connected to it.) > > So my local network is 10.0.0.0/16 and default GW for all DHCP clients > (including my NetVM) is 10.0.0.7 > > The dynamic IP of the NetVM might be 10.0.1.23. So if a client on my > "outside" network try to contact an AppVM (10.137.4.23 for example), will it > send an arp-request (letting arp_proxy do it's trick), or will it just send > the packet to default GW (who currently has no route to 10.137.4.0/24)? >
Doh, I've only just realised that your network is class B - so proxy arp wont work as arp doesn't cross networks. Shouod have read nmore carefully. Sorry to waste your time. Yes, you're right - the packets will go to the default GW and you need to have a route on there to the GW to the qubes - ie the IP of sys-net. I still think that a better method would be to give out a route via DHCP so all clients have that route, but it depends on you being able to do classless static routing and using a DHCP reservation on sys-net. Otherwise you need sys-net to broadcast a route which will be picked up by the default GW on your 10.0/16 network. cheers unman -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20170223130320.GB18687%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
