On Fri, 6 Oct 2017 10:20:18 -0400
> What I would like to do is add a second IP to both sys-firewall and
> sys-net so that I can NAT traffic from one of my VM's in/out through
> these IP's. So what I end up with is two IP's on sys-net, one
> handling all the traffic for most of my VM's, the other handling
> traffic for one specific VM. This way I can do additional firewall
> restrictions on this VM in my networks.
> If I manually add the IP addresses to sys-net and sys-firewall,
> manually add the destination NAT and source NAT rules to both as
> well, then manually add a route in sys-net, and also force another
> rule into the IPTABLES raw table on sys-net (to override a rule added
> by /etc/xen/scripts/vif-routes-qubes which restricts all incoming
> traffic from sys-firewall to the IP assigned by qubes to the default
> interface), then I'm able to make this work.
> However, this is very finicky and totally unscriptable in this
> configuration, and I'd really like this to be something auto
> configured on boot.
> I've look and looked and don't see where I can add a second interface
> definition to any config files. If I manually edit the xen
> sys-firewall.conf file it just gets overwitten by qubes. I can do
> all the iptables rules I need in the /rw/config scripts, but what I
> really need is for sys-firewall to add another virtual interface for
> I tried running: sudo xl network-attach sys-firewall
> script=/etc/xen/scripts/vif-route-qubes ip=10.150.10.10
> backend=sys-net This will add the interface and setup sys-net with
> the correct routes and rules, HOWEVER, the interface that it adds to
> sys-firewall has the same IP as the existing interface which breaks
> all the traffic going out of sys-firewall
> Has anyone ever had any success doing something like this?
> Any suggestions out there?
Wouldn't it be possible to add a second Firewall VM to be used solely
by your special single vm?
You received this message because you are subscribed to the Google Groups
To unsubscribe from this group and stop receiving emails from it, send an email
To post to this group, send email to email@example.com.
To view this discussion on the web visit
For more options, visit https://groups.google.com/d/optout.