I have 3 questions about Whonix related KVM networking.
I have tried to hook up a Vfirewall behind the gateway with a plain internal (bridged) network and an internal (bridged) network with a DHCP Server for the gateway. Both failed. Can anyone give me a hint how I can build an internal network that supports communication between the gateway WAN and another VM?
Does anyone have a DHCP server running in gateway lan to make it more flexible for custom workstations? Ive read about the caveats with dhcp in gateway, so Ive had an idea for a KVM internal network that provides a DHCP server for LAN and routes everything to the gateway. Ive had no luck in building this. Please share your experiences.
Not directly Whonix related:
Does anyone have an idea for a HOST firewall that blocks any traffic except from libvirt/KVM group? Or is it possible to use e.g. a macvtap device to route everything through an Ethernet port directly, so you can block host networking completely?
You probably need to adjust Vfirewall rules to route traffic across it’s interfaces and direct it to the GW. Using a Vfirewall is unnecessary because Libvirt supports custom traffic filtering rules and preset clean traffic ones for some basic protection against spoofing or DoS. I don’t bother with the though because there isn’t much a WS can do and because it can theoretically increase attack surface.
Look at our documentation for DHCP support. Libvirt supports this feature in a minimalist and safer way than installing a full fledged DHCP server on the GW.
This is something we will implement for Whonix Host, but nothing is in code yet.