On Sat, Nov 24, 2018 at 02:41:07PM -0800, qubesuserma...@gmail.com wrote: > On Thursday, November 22, 2018 at 7:35:38 PM UTC-5, unman wrote: > > Attach Windows Vm to the new qube. > > Attach your NIC to the Windows VM. > > Now the WindowsVM has two network devices. > > Wow, I never thought that NIC can be attached to VM not on topmost, thanks > for the tip! > But, as I was setting up the network you described, the same weird weird > problem happened again which I've been dealing with for 2 days and still have > no clue... > > That is, it seems that a qube couldn't UNDERSTAND the packets coming through > its vif+ interface with source ip address not of the qube directly connected > to its vif+. By "understand" I mean the packet can be seen by tcpdump and > wireshark on the corresponding vif, but never reaches the application, as if > dropped by kernel. > > In your networking: > > i <---- i can't deliver packets generated from outside to C > / \ > / \ > C W <---> outside > > i,W,C can ping each other OK > W pings outside: OK > i/C pings outside: ICMP reply seen by tcpdump on i's right side vif, but ping > failed. > > Same thing happens in this situation: > > a > | > | > b > | > | > c > > c/b pings a: OK > a pings c: reply seen by tcpdump, but ping fails > > Iptables are all empty and rp_filter is 0, so it kinda narrows it down to > kernel and XEN. But I don't see any packet-dropping in statistics. > This strange behavior strikes me as some kinds of security mechanism. Do you > have the same problem? >
You havent looked at my other posts, I think. Have you checked the raw table? By default a netvm restricts traffic on a vif to the allocated IP: you need to remove that restriction. I made some notes on using an openBSD HVM as a netvm - https://github.com/unman/notes/blob/master/openBSD_as_netvm You should be able to adapt them to your own case. unman -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20181125020459.f7wmzztpyjq2z6bn%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
