[How-to] Network between VMs

Original forum link: https://forum.qubes-os.org/t/37533
Original poster: Max123
Created at: 2025-11-25 18:00:01
Posts count: 2
Likes count: 4
Tags: networking

Problem

During software development, I need a group of VMs that can access each other over the network, but remain isolated from the Internet. Many guides online are incomplete or confusing, so here’s a clean solution.

Solution Overview

One group of VMs with all-to-all network access.
Each VM in the group that acts as a server may allow incoming connections on all ports.
The network has no Internet access, and the VMs trust each other more or less.
My GIT server is located right in this dev group, btw.
For package installation (npm i, composer install...), use a disposable VM and copy the resulting code back to your dev VMs. Spoiler: it's still insecure (this is a separate topic for discussion).

Network Setup

By default Qubes OS uses 10.137.x.x IP range, with 10.137.0.x assigned by DHCP.
Use 10.137.1.x for manual IP assignment in your dev group.

Steps

Set sys-firewall as network VM for all AppVMs in the group.
Assign unique IPs for each AppVM (run in Dom0):

qvm-prefs my-vm ip 10.137.1.101

Enable routing between all IPs in the range (run on sys-firewall):

Use this command (see below):

nft add rule ip qubes custom-forward ip saddr 10.137.1.0/24 ip daddr 10.137.1.0/24 ct state new,established,related counter accept

Make it permanent:

Option 1: Add the line to /rw/config/rc.local in default-dvm (template for disposable VM).
Option 2: Clone default-dvm -> sys-firewall-dvm, add the line there, and set sys-firewall-dvm as the template for sys-firewall.
Allow server VMs to accept connections. On each VM running a server, add to /rw/config/rc.local:

nft add rule ip qubes custom-forward ip saddr 10.137.1.0/24 ip daddr 10.137.1.0/24 ct state new,established,related counter accept

Restrict Internet access (optional). For any VM you want to keep offline (as I do):
Open Qube Manager -> Settings -> Firewall rules
Check Limit outgoing connections to…
Add exceptions if needed for intra-group communication.
Reboot all VMs to make sure the settings apply and persist across reboots.