Am Mittwoch, 22. März 2017 17:14:56 UTC+1 schrieb Unman: > On Wed, Mar 22, 2017 at 05:39:26AM -0700, Dominique St-Pierre Boucher wrote: > > Interesting question, I don't think that will work right out of the box... > > I would suggest having a second network card with a second netvm in order > > to do this easily... But I would love to have a netvm that could redirect > > to different Firewallvm based on vlan! > > > > Dominique > > On Wednesday, March 22, 2017 at 8:10:47 AM UTC-4, Marcus Dilger wrote: > > > Hello, > > > i try to connect a group of AppVMs to different VLAN Networks. The VLAN > > > networks are available at the physical network adapter (LAN Adapter). > > > > > > What i have done : > > > Setup up an VLAN Interface in the netVM via NetworkManager, that > > > Interface is already visible via ifconfig and also get a IP from the DHCP > > > Server of the VLAN. > > > > > > But i have no idea how to connect a sys-firewall / proxy vm to that > > > additional VLAN interface of the netVM ? Is that the best approach at all > > > ? Or maybe it is possible to have multiple netVM for each VLAN ? > > > > > > Thank you, > > > best > > > Marcus > > > > The obvious route would be to use iptables to separate the traffic to > the different interfaces - it's really no different from routing some > traffic through a VPN interface. > > I'd suggest adding another firewall/proxy to your sys-net. > You want some FORWARD rules that restrict traffic from firewallA to the > vlan interface and drop anything else. > Something as simple as this might do: > > iptables -I FORWARD -o <vlan iface> -j DROP > iptables -I FORWARD -s firewallA -j DROP > iptables -I FORWARD -s firewallA -o <vlan iface> -j ACCEPT > > You will need to set those rules in /rw/config/rc.local, and also have > similar rules to set them in the event of a network event - that's in > /rw/config/qubes-firewall-user-script > > hth > > unman
Thank you for your answer. I get the point with IPtables. But I lost with the VM Stack structure .. Lets say Trunk contain 3 type of packets for e.g. Packets without VLAN, with VLAN100 and VLAN200 So may be the stack could be: => LAN Adapter => Trunk => netVM => Trunk => sys-Firewall => Trunk => sys-Proxy + add Interface for VLAN200 + IPTables => VLAN200 => AppVM Will the VM's connected to netVM also see trunk traffic ? Thanks Marcus -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/32f282dc-5443-4d79-a2b9-1931255b3a5f%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
