> I believe that is indeed the aim. > You can either set to 255.255.255.0 or add specific route, as you have > done. (Did you set a return route on the destination also?)
The return route is automatically added to the Proxy with the vif-route-qubes, and the destination send all traffic to the proxy. The vif-route-qubes seems to work perfectly, I noticed no difference between a Qube and a HVM using the script... > The next step would be to examine the rules on the proxy to make sure > that you are allowing the traffic through the ProxyVM. You could listen > on the interface that's attached to 10.137.0.8 to see if traffic is > outbound from there. > > unman I removed all firewall rules (from Proxy and Qube Server), here's the conf : # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain QBS-FORWARD (0 references) target prot opt source destination # iptables -t raw --list Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Always the same result, Qube client connects to Qube server perfectly, HVM doesn't connect to Qube server. I captured traffic this afternoon and I think it's an ARP problem... Here's a working ARP session when I connect from Qube client to Qube Server : QUBE CLIENT ARP (from its specific vif) : 18:32:09.483319 ARP, Request who-has 10.137.0.12 tell 10.137.0.10, length 28 18:32:09.483502 ARP, Reply 10.137.0.12 is-at 00:16:3e:5e:6c:00, length 28 18:32:09.746948 ARP, Request who-has 10.137.0.10 tell 10.137.0.12, length 28 18:32:09.746970 ARP, Reply 10.137.0.10 is-at fe:ff:ff:ff:ff:ff, length 28 QUBE SERVER ARP (from its specific vif) : 18:32:09.483343 ARP, Request who-has 10.137.0.8 tell 10.137.0.10, length 28 18:32:09.483536 ARP, Reply 10.137.0.8 is-at 00:16:3e:5e:6c:00, length 28 18:32:09.542795 ARP, Request who-has 10.137.0.10 tell 10.137.0.8, length 28 18:32:09.542817 ARP, Reply 10.137.0.10 is-at fe:ff:ff:ff:ff:ff, length 28 -- and here is the ARP session from HVM to Qube Server : HVM ARP : 18:33:34.793593 ARP, Request who-has 10.137.0.10 tell 10.137.0.200, length 28 18:33:34.793631 ARP, Reply 10.137.0.10 is-at fe:ff:ff:ff:ff:ff, length 28 18:34:06.537570 ARP, Request who-has 10.137.0.10 tell 10.137.0.200, length 28 18:34:06.537609 ARP, Reply 10.137.0.10 is-at fe:ff:ff:ff:ff:ff, length 28 18:34:38.793679 ARP, Request who-has 10.137.0.10 tell 10.137.0.200, length 28 18:34:38.793699 ARP, Reply 10.137.0.10 is-at fe:ff:ff:ff:ff:ff, length 28 QUBE SERVER ARP : Nothing :( -- It's like the Proxy does not forward traffic to the destination vif, but there's no firewall rule blocking it, so I'm out of ideas... Other observations : ping is working between HVM and Proxy. No luck between HVM and Qube Server. I saw that every Qube had the same MAC address (I don't understand how it's possible, I'd really appreciate a document explaining how Qubes Networking work...) so I tried to set this same MAC address to the HVM, no more luck. Any help appreciated ! I'm feeling desperate right now :( -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/133d75e3-bebf-49dd-ac0f-90c3ec680fb1%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
