This is a known issue. Fixed in 4.0. https://github.com/QubesOS/qubes-issues/issues/2533. Probably wontfix for 3.2.
If sys-whonix is set as default_netVM and it has an upstream firewall / proxyVM, then both VMs will automatically start concurrently when Qubes boots. This doesn’t allow time for
qubes-firewall-user-script to detect network change and allow forwarding rules for sys-whonix. sys-whonix will have no connectivity unless another VM connects or disconnects to proxyVM.
- (not recommended) set default_netVM to another netVM. May result in clearnet leaks due to user error.
- induce change in proxyVM network by setting sys-whonix netVM to something else and back or by connecting / disconnecting other VMs to proxyVM
- manually execute
qubes-firewall-user-script in proxyVM
- reboot sys-whonix