What I would like to do is add a second IP to both sys-firewall and
sys-net so that I can NAT traffic from one of my VM's in/out through
these IP's. So what I end up with is two IP's on sys-net, one handling
all the traffic for most of my VM's, the other handling traffic for one
specific VM. This way I can do additional firewall restrictions on this
VM in my networks.
If I manually add the IP addresses to sys-net and sys-firewall, manually
add the destination NAT and source NAT rules to both as well, then
manually add a route in sys-net, and also force another rule into the
IPTABLES raw table on sys-net (to override a rule added by
/etc/xen/scripts/vif-routes-qubes which restricts all incoming traffic
from sys-firewall to the IP assigned by qubes to the default interface),
then I'm able to make this work.
However, this is very finicky and totally unscriptable in this
configuration, and I'd really like this to be something auto configured
I've look and looked and don't see where I can add a second interface
definition to any config files. If I manually edit the xen
sys-firewall.conf file it just gets overwitten by qubes. I can do all
the iptables rules I need in the /rw/config scripts, but what I really
need is for sys-firewall to add another virtual interface for me.
I tried running: sudo xl network-attach sys-firewall
script=/etc/xen/scripts/vif-route-qubes ip=10.150.10.10 backend=sys-net
This will add the interface and setup sys-net with the correct routes
and rules, HOWEVER, the interface that it adds to sys-firewall has the
same IP as the existing interface which breaks all the traffic going out
Has anyone ever had any success doing something like this?
Any suggestions out there?
You received this message because you are subscribed to the Google Groups
To unsubscribe from this group and stop receiving emails from it, send an email
To post to this group, send email to email@example.com.
To view this discussion on the web visit
For more options, visit https://groups.google.com/d/optout.