[qubes-users] Re: VLAN to AppVM ?
Am Mittwoch, 22. März 2017 13:10:47 UTC+1 schrieb Marcus Dilger: > Hello, > i try to connect a group of AppVMs to different VLAN Networks. The VLAN > networks are available at the physical network adapter (LAN Adapter). > > What i have done : > Setup up an VLAN Interface in the netVM via NetworkManager, that Interface is > already visible via ifconfig and also get a IP from the DHCP Server of the > VLAN. > > But i have no idea how to connect a sys-firewall / proxy vm to that > additional VLAN interface of the netVM ? Is that the best approach at all ? > Or maybe it is possible to have multiple netVM for each VLAN ? > > Thank you, > best > Marcus No way. Still not succeeded. Only the netVM get VLAN traffic. All VMs behind (i.e. firewall, proxy) get untagged traffic only. What functional is an additional VLAN interface in netVM for tagged traffic. But i have no idea how to configure the firewall / proxy VM behind to connect to that additional interface. Any help would appreciated. Thanks, best Marcus -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/886300bb-001f-4d74-b9f6-b63ece53aab8%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: VLAN to AppVM ?
Am Mittwoch, 22. März 2017 17:14:56 UTC+1 schrieb Unman: > On Wed, Mar 22, 2017 at 05:39:26AM -0700, Dominique St-Pierre Boucher wrote: > > Interesting question, I don't think that will work right out of the box... > > I would suggest having a second network card with a second netvm in order > > to do this easily... But I would love to have a netvm that could redirect > > to different Firewallvm based on vlan! > > > > Dominique > > On Wednesday, March 22, 2017 at 8:10:47 AM UTC-4, Marcus Dilger wrote: > > > Hello, > > > i try to connect a group of AppVMs to different VLAN Networks. The VLAN > > > networks are available at the physical network adapter (LAN Adapter). > > > > > > What i have done : > > > Setup up an VLAN Interface in the netVM via NetworkManager, that > > > Interface is already visible via ifconfig and also get a IP from the DHCP > > > Server of the VLAN. > > > > > > But i have no idea how to connect a sys-firewall / proxy vm to that > > > additional VLAN interface of the netVM ? Is that the best approach at all > > > ? Or maybe it is possible to have multiple netVM for each VLAN ? > > > > > > Thank you, > > > best > > > Marcus > > > > The obvious route would be to use iptables to separate the traffic to > the different interfaces - it's really no different from routing some > traffic through a VPN interface. > > I'd suggest adding another firewall/proxy to your sys-net. > You want some FORWARD rules that restrict traffic from firewallA to the > vlan interface and drop anything else. > Something as simple as this might do: > > iptables -I FORWARD -o -j DROP > iptables -I FORWARD -s firewallA -j DROP > iptables -I FORWARD -s firewallA -o -j ACCEPT > > You will need to set those rules in /rw/config/rc.local, and also have > similar rules to set them in the event of a network event - that's in > /rw/config/qubes-firewall-user-script > > hth > > unman Thank you for your answer. I get the point with IPtables. But I lost with the VM Stack structure .. Lets say Trunk contain 3 type of packets for e.g. Packets without VLAN, with VLAN100 and VLAN200 So may be the stack could be: => LAN Adapter => Trunk => netVM => Trunk => sys-Firewall => Trunk => sys-Proxy + add Interface for VLAN200 + IPTables => VLAN200 => AppVM Will the VM's connected to netVM also see trunk traffic ? Thanks Marcus -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/32f282dc-5443-4d79-a2b9-1931255b3a5f%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: VLAN to AppVM ?
On Wed, Mar 22, 2017 at 05:39:26AM -0700, Dominique St-Pierre Boucher wrote: > Interesting question, I don't think that will work right out of the box... I > would suggest having a second network card with a second netvm in order to do > this easily... But I would love to have a netvm that could redirect to > different Firewallvm based on vlan! > > Dominique > On Wednesday, March 22, 2017 at 8:10:47 AM UTC-4, Marcus Dilger wrote: > > Hello, > > i try to connect a group of AppVMs to different VLAN Networks. The VLAN > > networks are available at the physical network adapter (LAN Adapter). > > > > What i have done : > > Setup up an VLAN Interface in the netVM via NetworkManager, that Interface > > is already visible via ifconfig and also get a IP from the DHCP Server of > > the VLAN. > > > > But i have no idea how to connect a sys-firewall / proxy vm to that > > additional VLAN interface of the netVM ? Is that the best approach at all ? > > Or maybe it is possible to have multiple netVM for each VLAN ? > > > > Thank you, > > best > > Marcus > The obvious route would be to use iptables to separate the traffic to the different interfaces - it's really no different from routing some traffic through a VPN interface. I'd suggest adding another firewall/proxy to your sys-net. You want some FORWARD rules that restrict traffic from firewallA to the vlan interface and drop anything else. Something as simple as this might do: iptables -I FORWARD -o -j DROP iptables -I FORWARD -s firewallA -j DROP iptables -I FORWARD -s firewallA -o -j ACCEPT You will need to set those rules in /rw/config/rc.local, and also have similar rules to set them in the event of a network event - that's in /rw/config/qubes-firewall-user-script hth unman -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20170322161454.GD3571%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: VLAN to AppVM ?
Interesting question, I don't think that will work right out of the box... I would suggest having a second network card with a second netvm in order to do this easily... But I would love to have a netvm that could redirect to different Firewallvm based on vlan! Dominique On Wednesday, March 22, 2017 at 8:10:47 AM UTC-4, Marcus Dilger wrote: > Hello, > i try to connect a group of AppVMs to different VLAN Networks. The VLAN > networks are available at the physical network adapter (LAN Adapter). > > What i have done : > Setup up an VLAN Interface in the netVM via NetworkManager, that Interface is > already visible via ifconfig and also get a IP from the DHCP Server of the > VLAN. > > But i have no idea how to connect a sys-firewall / proxy vm to that > additional VLAN interface of the netVM ? Is that the best approach at all ? > Or maybe it is possible to have multiple netVM for each VLAN ? > > Thank you, > best > Marcus -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/fad28791-94b1-44a8-804b-1d6bd767baf8%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
