@xloem Thanks for your interest. Problem is a very low priority pet project: Physical Isolation is back! Qubes-Whonix style - #2 by entr0py. I haven’t begun investigating yet. A good start would be learning how physical switches preserve source IP’s without masquerading an intermediary IP. Don’t know enough about networking in general - perhaps it’s done with ARP tables? The trivial, messy solution would be to assign a separate proxyVM to each WS.
In the past, I’ve used a configuration that is relevant to your original question and also affected by my issue:
Whonix-GW ^^ || || LAN proxyVM ^^ ^ || +---+--------+---------+ || | | | WS-A WS-B WS-C WS-D
Here, A has internet access via Whonix-GW and also LAN access. B,C,D are restricted to LAN-only. Luckily, I only had one client connect to Whonix-GW. [Disclaimer: B,C,D should not be considered non-networked or air-gapped because leaks can happen through a compromised proxyVM or by exploiting WS-A via the LAN to leak through the proxyVM.]