On Wed, Mar 22, 2017 at 05:39:26AM -0700, Dominique St-Pierre Boucher wrote: > Interesting question, I don't think that will work right out of the box... I > would suggest having a second network card with a second netvm in order to do > this easily... But I would love to have a netvm that could redirect to > different Firewallvm based on vlan! > > Dominique > On Wednesday, March 22, 2017 at 8:10:47 AM UTC-4, Marcus Dilger wrote: > > Hello, > > i try to connect a group of AppVMs to different VLAN Networks. The VLAN > > networks are available at the physical network adapter (LAN Adapter). > > > > What i have done : > > Setup up an VLAN Interface in the netVM via NetworkManager, that Interface > > is already visible via ifconfig and also get a IP from the DHCP Server of > > the VLAN. > > > > But i have no idea how to connect a sys-firewall / proxy vm to that > > additional VLAN interface of the netVM ? Is that the best approach at all ? > > Or maybe it is possible to have multiple netVM for each VLAN ? > > > > Thank you, > > best > > Marcus >
The obvious route would be to use iptables to separate the traffic to the different interfaces - it's really no different from routing some traffic through a VPN interface. I'd suggest adding another firewall/proxy to your sys-net. You want some FORWARD rules that restrict traffic from firewallA to the vlan interface and drop anything else. Something as simple as this might do: iptables -I FORWARD -o <vlan iface> -j DROP iptables -I FORWARD -s firewallA -j DROP iptables -I FORWARD -s firewallA -o <vlan iface> -j ACCEPT You will need to set those rules in /rw/config/rc.local, and also have similar rules to set them in the event of a network event - that's in /rw/config/qubes-firewall-user-script hth unman -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20170322161454.GD3571%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
