On Thu, Oct 11, 2018 at 06:02:55PM -0700, jmarkdavi...@gmail.com wrote:
> I guess to further clarify what I want to try to do is have sys net be
> connected to the interface that is connected to my modem(to the ISP/world).
>
> I would like another vm to control all(or some) other
> physical interfaces on my machine (access points/etc..).
>
> I would like a qubeVM from within the machine running qubes to be able to
> connect via those physical interfaces as if they were also attached to the
> physical interface.
>
> Ideally so that the qubes OS is segregating physical NICs along with
> applications.
>
> So lets say FreeNAS is running inside qubes. And someone near my access point
> wants to use freeNAS via wifi, they would log in via ssh or whatever over the
> access point.
>
> But if that same someone is somewhere else they can ssh or whatever to
> freeNAS via the internet and the wan NIC that sys-net controls.
>
That makes it much clearer to me. Thanks.
There are a number of different ways to approach this, but the one that
seems easiest would be something like this:
sys-net -- sys-fw -- freeNAS
| -- qube1
| -- wifi -- qube2
wifi is set up to "provide network" - ie it's a NetVM, and acts as
access point via attached wifi.
Setting up access via sys-net to freeNAS is straightforward, and already
documented, as you know. I suggest you get that working first.
Provisioning the wifi qube should be straightforward.
You will need to set up the wifi access point, and then configure port
forwarding to freeNAS. sys-fw should be the default route set on wifi
qube. Depending on whether you want downstream clients (like qube2) you
may want to change this.
You will need to set fw rules to allow traffic between these vif
interfaces.
You will need to adjust routes to ensure that traffic arriving at
freeNAS via wifi does not get sent out via sys-net. The simplest way to
achieve this will be to use source NAT on wifi, or Masquerade, depending
on your configuration.
Note that qube2 can connect EITHER to freeNAS port OR to external IP of
sys-net. If you don't want this, either have no qubes connected
downstream of wifi, or adjust fw on wifi to block traffic from all vif
interfaces to eth0.
If you need help with the details, just ask.
unman
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/20181015125948.5rcerl6hw7s3usbm%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.
