@xloem Thanks for your interest. Problem is a very low priority pet project: https://forums.whonix.org/t/physical-isolation-is-back-qubes-whonix-style/3317/2. I haven't begun investigating yet. A good start would be learning how physical switches preserve source IP's without masquerading an intermediary IP. Don't know enough about networking in general - perhaps it's done with ARP tables? The trivial, messy solution would be to assign a separate proxyVM to each WS.
In the past, I've used a configuration that is relevant to your original question and also affected by my issue:
|| | | |
WS-A WS-B WS-C WS-D
A has internet access via Whonix-GW and also LAN access.
B,C,D are restricted to LAN-only. Luckily, I only had one client connect to Whonix-GW. [Disclaimer:
B,C,D should not be considered non-networked or air-gapped because leaks can happen through a compromised proxyVM or by exploiting
WS-A via the LAN to leak through the proxyVM.]