Networking issues with fedora-25, debian-9 as NetVM template in 4.0rc1

[0spinboson]

Qubes OS version (e.g., R3.2):

4.0rc1

Affected TemplateVMs (e.g., fedora-23, if applicable):

fedora-25, debian-9

Expected behavior:

can use either or both of the templates for sys-net, sys-firewall.

Actual behavior:

(on 2 computers): fedora-25 almost never works as sys-net, but does sometimes (so I don't get it).

Debian-8 as netVM works flawlessly, but when I updated that (fresh) template to debian-9, it also stopped forwarding to sys-firewall.
Connectivity inside sys-net is fine, and/so connecting dom0 updater to the netVM directly does work.

[marmarek]

Can you be more specific than "fedora-25 almost never works as sys-net"? What exactly happen?

[andrewdavidwong]

I can confirm this on R3.2. When I try to use fedora-25 or fedora-25-minimal as the TemplateVM for sys-net, I can connect to Wi-Fi networks as normal, but AppVMs have no internet connection. Switching sys-net back to fedora-24* immediately fixes it.

[0spinboson]

no packets are forwarded to sys-firewall or beyond (though it randomly did work one time, I have no idea how/why). Compare these three logs of 'iptables -L -vn' run in sys-net, which are hopefully more informative. No rules added or changed by me, this is the out of the box configuration.

iptablesfc25.txt
iptablesd9.txt
iptablesd8.txt

[marmarek]

Can you include the same with -t nat option?

[0spinboson]

Of course:
iptablesf25nat.txt
iptablesd9nat.txt
iptablesd8nat.txt

[marmarek]

Looks ok... What is value of /proc/sys/net/ipv4/ip_forward?

[marmarek]

(just one of broken cases is enough)

[0spinboson]

1

…

On Aug 7, 2017 23:45, "Marek Marczykowski-Górecki" ***@***.***> wrote: (just one of broken cases is enough) — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#2964 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AUGeHD76mbtaCno_GVHmfOIS5k_0-7tqks5sV4VxgaJpZM4OtUQ3> .

[tlaurion]

Also have the bug. Any other troubleshooting paths to suggest? Other output that would help in troubleshooting this issue?

[andrewdavidwong]

@tlaurion: In my case, it turned out that #3008 was the real problem. Blacklisting iwlmvm fixed it. (See the comments on that issue.)

[0spinboson]

Glad your issue was resolved, but I never use sleep/standby, and I also don't use wifi.

[marmarek]

Maybe you can track with tcpdump where exactly the packets are lost?

[0spinboson]

I have no idea why, but for me the issue with fc25 and fc26 not being usable as the sys-net template has disappeared with rc2.

[andrewdavidwong]

Closing this as "resolved" for now. If you believe the issue is not yet resolved, or if anyone is still affected by this issue, please leave a comment, and we'll be happy to reopen this. Thank you.