Static IP Wired Network Connection (How do I...)

Qnode · August 13, 2025, 2:13pm

Hi Genodians! (I am a power user who’s new to Genode/Sculpt coming from the Qubes/Linux world)

I’m currently trying to get the pre-built Sculpt OS 25.04 up and running for the first time, and Sculpt boots successfully (x86_64 system), but I can’t figure out how to get my wired ethernet connection working. There seems to be no connection made or network address shown after clicking to enable the “Wired” network (in the upper right corner).

Can someone please hand-hold me on the exact steps and settings for this networking up?

My system has a wired ethernet NIC only (No Wifi adapter).
My LAN network supports static IPs only (No DHCP server).

Via my working Qubes/Linux install, here are my specific LAN network settings that should be used for this Sculpt PC:

IP Address: 192.168.1.101
Broadcast: 192.168.1.255
Netmask: 255.255.255.0
Gateway: 192.168.1.1
DNS: 1.1.1.1

I’m initially looking to get basic internet traffic flowing on the ports of

HTTP (TCP:80)
HTTPS (TCP:443)
DNS (UDP:53)

in order to download and play with new Genode/Sculpt components, do some basic web browsing, and learn how to work with this very interesting and powerful Genode/Sculpt system.

From some web searching, it seems Sculpt may presume DHCP dynamic network addressing by default (which my network doesn’t offer), and a static IP configuration may require a custom config edit of a file such as “/config/managed/nic_router”?

Not sure if that’s right, or how to custom configure such a file (unknown XML parameters to me), in order to configure a static IP network connection with my specific network settings.

Hoping someone could hold my hand on this, as I’m excited to start the adventure of diving much deeper into Genode/Sculpt!

P.S. I’ve looked at a fair amount of Genode/Sculpt content and have watched Norman’s Casual Walkthrough video, so I think I generally understand the concept of how to edit config files in Genode/Sculpt, however, I don’t know exactly what file(s) to edit and what exact settings/parameters/values to type in or remove, nor also how one could know/discover this stuff - even as a Qubes/Linux power user - as Genode/Sculpt seems to be based on its own custom config files that omit settings/parameters/values that aren’t presently running by default (inhibiting easy discovery of additional non-default configurations that Genode/Sculpt is capable of).

Anyway, happy to be here, happy to have found Genode/Sculpt, and looking forward to lots of fun sculpting to come!

jschlatow · August 13, 2025, 4:40pm

Hi and welcome to the Genode world,

as you correctly figured out, you have to manually edit the NIC router config since there is no GUI for static IP config. Be aware that all files in /config/managed/ are generated by the Sculpt-manager component, thus any manually made changes will be overwritten at some point. For manually managing the NIC router config, you best copy /config/managed/nic_router to /config/nic_router. This implicitly tells the Sculpt manager that you want to maintain the config yourself.

The XML nodes and attributes for the NIC router are documented in its README file. You basically need to add an interface and a gateway attribute to the <domain name=”uplink”> node. Moreover, you would also need to add a <dns-server> child node to the <dhcp-server> node of the “default” domain.

Qnode · August 14, 2025, 12:46am

@jschlatow

Thanks for the welcome! Hoping to in-time make Genode/Sculpt become a full and superior daily driver replacement for Qubes OS.

Been tinkering with the nic_router as prescribed, but am still not getting the wired network connection to work.

The nic_router is quite complex to grasp for simply getting a basic manual network connection setup, and I feel somewhat lost in looking through the README, but I’m at least glad to be getting exposed to some deeper configuration parts of Genode/Sculpt on my first day for future educational and skill purposes!

Static IP Troubleshooting:

I first generate a default /config/managed/nic_router file by clicking to enable the Network from Off to Wired. Then, after copying, editing, and saving (:wq) to the new /config/nic_router file within the ram fs component using vim, and then testing internet by trying to install nano3d from the Presets, I get the following network connection errors for the ‘nano3d’ install:

In lower left corner notification, I see:

Diagnostics
network needed for installation

In /report/log, I see:

tail -n 1 /report/log

[leitzentrale -> manager] genodelabs/pkg/sticks_blue_backdrop/2025-04-28 incomplete or missing

I made the following line changes/additions to the default /config/nic_router file:

<domain name="uplink" interface="192.168.1.101/24" gateway="192.168.1.1">

and

    <dhcp-server ip_first="10.0.1.2" ip_last="10.0.1.200" dns_config_from="uplink"/>
      <dns-server ip="1.1.1.1"/>
    </dhcp-server>

Here is a fully retyped copy of my edited/modified /config/nic_router file:

<config verbose_domain_state="yes">
  <report interval_sec="5" bytes="yes" config="yes" config_triggers="yes"/>
  <default-policy domain="default"/>
  <policy label_prefix="nic -> " domain="uplink"/>
  <domain name="uplink" interface="192.168.1.101/24" gateway="192.168.1.1">
    <nat domain="default" tcp-ports="1000" udp-ports="1000" icmp-ids="1000"/>
    <tcp-forward port="80" domain="http" to="10.0.80.2"/>
    <tcp-forward port="23" domain="telnet" to="10.0.23.2"/>
    <tcp-forward port="9999" domain="gdb" to="10.0.99.2"/>
    <tcp-forward port="5900" domain="vnc" to="10.0.59.2"/>
  </domain>
  <domain name="default" interface="10.0.1.1/24">
    <dhcp-server ip_first="10.0.1.2" ip_last="10.0.1.200" dns_config_from="uplink"/>
      <dns-server ip="1.1.1.1"/>
    </dhcp-server>
    <tcp dst="0.0.0.0/0">
      <permit-any domain="uplink"/>
    </tcp>
    <udp dst="0.0.0.0/0">
      <permit-any domain="uplink"/>
    </udp>
    <icmp dst="0.0.0.0/0" domain="uplink"/>
  </domain>
  <policy label="http" domain="http"/>
  <domain name="http" interface="10.0.80.1/24">
    <dhcp-server ip_first="10.0.80.2" ip_last="10.0.80.2" dns_config_form="uplink"/>
  </domain>
  <policy label="telnet" domain="telnet"/>
  <domain name="telnet" interface="10.0.23.1/24">
    <dhcp-server ip_first="10.0.23.2" ip_last="10.0.23.2" dns_config_form="uplink"/>
  </domain>
  <policy label="gdb" domain="gdb"/>
  <domain name="gdb" interface="10.0.99.1/24">
    <dhcp-server ip_first="10.0.99.2" ip_last="10.0.99.2" dns_config_form="uplink"/>
  </domain>
  <policy label="vnc" domain="vnc"/>
  <domain name="vnc" interface="10.0.59.1/24">
    <dhcp-server ip_first="10.0.59.2" ip_last="10.0.59.2" dns_config_form="uplink"/>
  </domain>
</config>

For reference, here is a fully retyped copy of my default/unmodified /config/managed/nic_router file:

View File

<config verbose_domain_state="yes">
  <report interval_sec="5" bytes="yes" config="yes" config_triggers="yes"/>
  <default-policy domain="default"/>
  <policy label_prefix="nic -> " domain="uplink"/>
  <domain name="uplink">
    <nat domain="default" tcp-ports="1000" udp-ports="1000" icmp-ids="1000"/>
    <tcp-forward port="80" domain="http" to="10.0.80.2"/>
    <tcp-forward port="23" domain="telnet" to="10.0.23.2"/>
    <tcp-forward port="9999" domain="gdb" to="10.0.99.2"/>
    <tcp-forward port="5900" domain="vnc" to="10.0.59.2"/>
  </domain>
  <domain name="default" interface="10.0.1.1/24">
    <dhcp-server ip_first="10.0.1.2" ip_last="10.0.1.200" dns_config_from="uplink"/>
    <tcp dst="0.0.0.0/0">
      <permit-any domain="uplink"/>
    </tcp>
    <udp dst="0.0.0.0/0">
      <permit-any domain="uplink"/>
    </udp>
    <icmp dst="0.0.0.0/0" domain="uplink"/>
  </domain>
  <policy label="http" domain="http"/>
  <domain name="http" interface="10.0.80.1/24">
    <dhcp-server ip_first="10.0.80.2" ip_last="10.0.80.2" dns_config_form="uplink"/>
  </domain>
  <policy label="telnet" domain="telnet"/>
  <domain name="telnet" interface="10.0.23.1/24">
    <dhcp-server ip_first="10.0.23.2" ip_last="10.0.23.2" dns_config_form="uplink"/>
  </domain>
  <policy label="gdb" domain="gdb"/>
  <domain name="gdb" interface="10.0.99.1/24">
    <dhcp-server ip_first="10.0.99.2" ip_last="10.0.99.2" dns_config_form="uplink"/>
  </domain>
  <policy label="vnc" domain="vnc"/>
  <domain name="vnc" interface="10.0.59.1/24">
    <dhcp-server ip_first="10.0.59.2" ip_last="10.0.59.2" dns_config_form="uplink"/>
  </domain>
</config>

Here is a fully retyped copy of my /report/log file after editing/saving /config/nic_router and then re-connecting the network from Off to Wired again:

View Log

tail -n 50 /report/log

[runtime] child "nic_router"
[runtime]   RAM quota:  9992K
[runtime]   cap quota:  266
[runtime]   ELF binary: nic_router
[runtime]   priority:   2
[runtime]   provides service Nic
[runtime]   provides service Uplink
[runtime] child "nic"
[runtime]   RAM quota:  20232K
[runtime]   cap quota:  266
[runtime]   ELF binary: nic
[runtime]   priority:   2
[runtime -> nic_router] [uplink] dynamic IP config: none
[runtime -> nic_router] [uplink] NIC sessions: 0
[runtime -> nic_router] [default] static IP config: interface 10.0.1.1/24,  gateway 0.0.0.0, P2P 0
[runtime -> nic_router] [default] NIC sessions: 0
[runtime -> nic_router] [http] static IP config: interface 10.0.80.1/24, gateway 0.0.0.0, P2P 0
[runtime -> nic_router] [http] NIC sessions: 0
[runtime -> nic_router] [telnet] static IP config: interface 10.0.23.1/24, gateway 0.0.0.0, P2P 0
[runtime -> nic_router] [telnet] NIC sessions: 0
[runtime -> nic_router] [gdb] static IP config: interface 10.0.99.1/24, gateway 0.0.0.0, P2P 0
[runtime -> nic_router] [gdb] NIC sessions: 0
[runtime -> nic_router] [vnc] static IP config: interface 10.0.59.1/24, gateway 0.0.0.0, P2P 0
[runtime -> nic_router] [vnc] NIC sessions: 0
[runtime] child "nic_router" announces service "Nic"
[runtime] child "nic_router" announces service "Uplink"
[runtime -> nic] SLUB: HWalign=64, Order=0-1, MinObjects=0, CPUs=1, Nodes=1
[runtime -> nic] NR_IRQS: 4352, nr_irqs: 4352, preallocated irqs: 256
[runtime -> nic] clocksource: dde_counter: mask: 0xffffffffffffff max_cycles: 0x1d854df40, max_idle_ns: 3526361616960 ns
[runtime -> nic] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 7645041785100000 ns
[runtime -> nic] clocksource: Switched to clocksource dde_counter
[runtime -> nic] netdev: Intel(R) PRO/1000 Network Driver
[runtime -> nic] netdev: Copyright(c) 1999 - 2015 Intel Corporation.
[runtime -> nic] e1000e 00:19.0: Interrupt Throttling Rate (ints/sec) set to dynamic conservative mode
[runtime -> nic] e1000e 00:19.0 00:19.0 (uninitialized): Failed to initialize MSI interrupts.  Falling back to legacy interrupts.
[runtime -> nic] e1000e 00:19.0 eth0: (PCI Express:2.5GT/s:Width x1) [MAC ADDRESS REDACTED]
[runtime -> nic] e1000e 00:19.0 eth0: Intel(R) PRO/1000 Network Connection
[runtime -> nic] e1000e 00:19.0 eth0: MAC: 10, PHY: 11, PBA No: 1000FF-0FF
[runtime -> nic] e1000_main: Intel(R) PRO/1000 Network Driver
[runtime -> nic] e1000_main: Copyright (c) 1999-2006 Intel Corporation.
[runtime -> nic] sched_clock: Marking stable (358854000, 12268000)->(449441000, -78319000)
[runtime -> nic] e1000e 00:19.0 eth0: NIC Link is Up 1000 Mbps Full Duplex, Flow Control: None
[runtime -> nic] create uplink for net device eth0
[runtime -> nic_router] [uplink] NIC sessions: 1

Potential troubleshooting thought:

Could there be a nic-client node that needs to be added?

Also tried, without success, adding the following line as a child node of <config verbose_domain_state="yes">:

<nic-client label="wired" domain="uplink"/>

Still not sure how to get this static IP network configuration working.

jschlatow · August 14, 2025, 8:50am

@Qnode

Thanks for your detailed report. I understand that the NIC router is quite complex to grasp. Unfortunately, this is kind of a necessity when, typically, every networked component has its own IP stack, which consequently requires NATing and routing.

I believe you might have an invalid XML. I notices that you forgot removing the /> when inserting the <dns-server ip=”…”/> into the <dns-server …>. You can also delete the dns_config_from attribute since this rendered uneffective when a <dns-server/> is present. You should end up with this:

<dhcp-server ip_first="10.0.1.2" ip_last="10.0.1.200">
  <dns-server ip="1.1.1.1"/>
</dhcp-server>

When the NIC router config is valid. You should see the configured IP address in Sculpt’s network dialog. Moreover, the other options (Disconnect and Wifi) will disappear from this dialog. Can you double-check that this is the case?

chelmuth · August 14, 2025, 9:49am

Also you may check if your configuration produces correct results by examing /report/runtime/nic_router/state in the Sculpt system shell. It should contain data comparable to the following (esp. <domain name=“uplink” … ipv4=“...”/> which is monitored by the sculpt manager).

<domain name="uplink" rx_bytes="161744115" tx_bytes="2724395674" ipv4="10.0.0.44/24" gw="10.0.0.1">
...
</domain>

Qnode · August 14, 2025, 11:54pm

@jschlatow

Correcting the XML syntax error worked and traffic is flowing now! Thanks!

I should have caught that one, as I know better with XML tags.

I will follow up by posting a step-by-step solution for others to benefit from.

Thank you!

Qnode · August 14, 2025, 11:55pm

@chelmuth

Thanks for the additional tip and insight!

Genode/Sculpt is so interesting!

Qnode · August 15, 2025, 12:09am

Solution for Static IP Wired Network Connection (Tested with Sculpt 25.04):

Here is a step-by-step guide for how to use a Static IP Wired Network Connection…

Example Static IP Wired Network Settings (substitute your own network settings):

IP Address: 192.168.1.101
Subnet Mask: 24 (255.255.255.0)
Gateway: 192.168.1.1
DNS Server: 1.1.1.1

1. Network → Wired : Enables your Wired network and generate nic router component with a /config/managed/nic_router config file.

2. Components → ram fs → Inspect : Enables a terminal interface for accessing your filesystem.

3. Inspect : Switch from Components to Inspect to access the terminal which should show the inspect:/> prompt.

4. cp /config/managed/nic_router /config/nic_router : Copies the system managed nic_router config file where you can manage/edit your own to override the system’s nic_router config.

For reference, here is the contents of my default/unmodified nic_router config file in Sculpt 25.04:

View File

<config verbose_domain_state="yes">
  <report interval_sec="5" bytes="yes" config="yes" config_triggers="yes"/>
  <default-policy domain="default"/>
  <policy label_prefix="nic -> " domain="uplink"/>
  <domain name="uplink">
    <nat domain="default" tcp-ports="1000" udp-ports="1000" icmp-ids="1000"/>
    <tcp-forward port="80" domain="http" to="10.0.80.2"/>
    <tcp-forward port="23" domain="telnet" to="10.0.23.2"/>
    <tcp-forward port="9999" domain="gdb" to="10.0.99.2"/>
    <tcp-forward port="5900" domain="vnc" to="10.0.59.2"/>
  </domain>
  <domain name="default" interface="10.0.1.1/24">
    <dhcp-server ip_first="10.0.1.2" ip_last="10.0.1.200" dns_config_from="uplink"/>
    <tcp dst="0.0.0.0/0">
      <permit-any domain="uplink"/>
    </tcp>
    <udp dst="0.0.0.0/0">
      <permit-any domain="uplink"/>
    </udp>
    <icmp dst="0.0.0.0/0" domain="uplink"/>
  </domain>
  <policy label="http" domain="http"/>
  <domain name="http" interface="10.0.80.1/24">
    <dhcp-server ip_first="10.0.80.2" ip_last="10.0.80.2" dns_config_form="uplink"/>
  </domain>
  <policy label="telnet" domain="telnet"/>
  <domain name="telnet" interface="10.0.23.1/24">
    <dhcp-server ip_first="10.0.23.2" ip_last="10.0.23.2" dns_config_form="uplink"/>
  </domain>
  <policy label="gdb" domain="gdb"/>
  <domain name="gdb" interface="10.0.99.1/24">
    <dhcp-server ip_first="10.0.99.2" ip_last="10.0.99.2" dns_config_form="uplink"/>
  </domain>
  <policy label="vnc" domain="vnc"/>
  <domain name="vnc" interface="10.0.59.1/24">
    <dhcp-server ip_first="10.0.59.2" ip_last="10.0.59.2" dns_config_form="uplink"/>
  </domain>
</config>

5. vim /config/nic_router : Start editing your nic_router config file.

6. Press Insert key : Enters into edit mode in the `vim’ editor.

7. Navigate by arrows and change the line with <domain name="uplink"> to <domain name="uplink" interface="192.168.1.101/24" gateway="192.168.1.1"> where you substitute in your own IP Address, Subnet Mask, and Gateway.

<domain name="uplink" interface="192.168.1.101/24" gateway="192.168.1.1">

8. Manual DNS Server : This step may be optional depending on your network’s DNS settings… If you have an explicitly defined DNS Server for your machine to use that is not automatically provided by your uplink network, then…

Navigate by arrows to the line under <domain name="default" with <dhcp-server ip_first="10.0.1.2" ip_last="10.0.1.200" dns_config_from="uplink"/> and change it into the following multiple lines:

If using a DNS Server IP Address, then:

<dhcp-server ip_first="10.0.1.2" ip_last="10.0.1.200">
  <dns-server ip="1.1.1.1"/>
</dhcp-server>

If using a DNS Server Domain Name, then:

<dhcp-server ip_first="10.0.1.2" ip_last="10.0.1.200">
  <dns-domain name="genodians.org"/>
</dhcp-server>

…where you substitute in your own provider’s DNS Server IP (ip=) or Domain (name=).

Note: In the first dhcp-server line, be sure to remove the ending slash-bracket /> and make it only a bracket > or else this will cause your XML configuration to be invalid.

9. Press Esc key : Exits out of edit mode in the vim editor.

10. Type :wq and press Enter into the vim editor’s command console at the bottom in order to write/save your file changes and quit the editor.

11. Network → Off → Wired : Turn Off and On and your Wired network to ensure use of your new network settings.

Check that the Sculpt Network dialog is showing your IP Address under the buttons, such as “192.168.1.101/24”, and that the only buttons showing are Off and Wired as the other buttons should have disappeared.

For reference, here is a full copy of my modified and working /config/nic_router config file:

View File

<config verbose_domain_state="yes">
  <report interval_sec="5" bytes="yes" config="yes" config_triggers="yes"/>
  <default-policy domain="default"/>
  <policy label_prefix="nic -> " domain="uplink"/>
  <domain name="uplink" interface="192.168.1.101/24" gateway="192.168.1.1">
    <nat domain="default" tcp-ports="1000" udp-ports="1000" icmp-ids="1000"/>
    <tcp-forward port="80" domain="http" to="10.0.80.2"/>
    <tcp-forward port="23" domain="telnet" to="10.0.23.2"/>
    <tcp-forward port="9999" domain="gdb" to="10.0.99.2"/>
    <tcp-forward port="5900" domain="vnc" to="10.0.59.2"/>
  </domain>
  <domain name="default" interface="10.0.1.1/24">
    <dhcp-server ip_first="10.0.1.2" ip_last="10.0.1.200" dns_config_from="uplink">
      <dns-server ip="1.1.1.1"/>
    </dhcp-server>
    <tcp dst="0.0.0.0/0">
      <permit-any domain="uplink"/>
    </tcp>
    <udp dst="0.0.0.0/0">
      <permit-any domain="uplink"/>
    </udp>
    <icmp dst="0.0.0.0/0" domain="uplink"/>
  </domain>
  <policy label="http" domain="http"/>
  <domain name="http" interface="10.0.80.1/24">
    <dhcp-server ip_first="10.0.80.2" ip_last="10.0.80.2" dns_config_form="uplink"/>
  </domain>
  <policy label="telnet" domain="telnet"/>
  <domain name="telnet" interface="10.0.23.1/24">
    <dhcp-server ip_first="10.0.23.2" ip_last="10.0.23.2" dns_config_form="uplink"/>
  </domain>
  <policy label="gdb" domain="gdb"/>
  <domain name="gdb" interface="10.0.99.1/24">
    <dhcp-server ip_first="10.0.99.2" ip_last="10.0.99.2" dns_config_form="uplink"/>
  </domain>
  <policy label="vnc" domain="vnc"/>
  <domain name="vnc" interface="10.0.59.1/24">
    <dhcp-server ip_first="10.0.59.2" ip_last="10.0.59.2" dns_config_form="uplink"/>
  </domain>
</config>

Enjoy!

jschlatow · August 15, 2025, 10:00am

@Qnode Wow! Thanks for writing up such nice and polished instructions. I really appreciate that you take your time to improve documentation along your way of exploring Genode/Sculpt. If you ever feel like contributing to our community blog at genodians.org, you will be very welcome. You’ll find instructions at the corresponding repository at github.

jjkarcher · August 15, 2025, 8:05pm

You beat me to it - I was going to say exactly the same thing! This would be a great Genodians article!

Qnode · August 16, 2025, 10:44am

@jschlatow & @jjkarcher

Thank you both for the kind words! Happy to do it and to try to consider helping beginner-levels understand things too.

After being a somewhat more advanced user with Qubes/Linux, but now here exploring and trying to build-up on Genode/Sculpt, I am enjoyably and humbly feeling like a total noob again, where simple tasks and concepts with the system seem to be somewhat-to-very challenging to figure out.

It kind of feels like being in a strange foreign land and struggling to learn a brand new language and set of customs, yet also knowing this new foreign land is meant to be my long-term home and there is something fundamentally beautiful and pure existing underneath here.

Also, after watching a video of Norman doing some live sculpting with a prior version of Sculpt OS, I realized/remembered that the Files feature (with built-in text editor) could be used to access and edit Sculpt’s config files, instead of using vim within Inspect. Therefore, I can further simplify my step-by-step instructions to be more concise and more user friendly. I will leave the prior posted instructions in-tact since that approach works too, but will also now post a follow up with a new, simplified, alternative step-by-step “how to” on this Static IP Wired Networking Connection topic.

I also found that doing “Components → ram fs → Use” is not necessary, and one can simply jump straight to doing “Components → ram fs → Inspect” without “Use” first, in order to access the filesystem by terminal. So I can remove that “Use” step from the instructions.

Genodians blog… Thanks, I’ve really enjoyed learning from the Genodians blog myself! I don’t have, and don’t plan to have a GitHub account, and am going by “Qnode” for now, but I am completely ok with someone else using/copying/refactoring/reuploading this or future step-by-step guides I make over to the Genodians blog. Feel free, as sharing knowledge further is a good thing!

Thanks for the truly innovative Genode/Sculpt system, and for also sculpting this little, mighty, amazing community that exists here! Happy to be here!

Qnode · August 16, 2025, 11:13am

Note: This is an updated step-by-step approach to my prior instructions for a Static IP Wired Network Connection, which is a bit more concise and uses a more user-friendly method for editing config files.

Solution for Static IP Wired Network Connection (Tested with Sculpt 25.04):

Here is a step-by-step guide for how to use a Static IP Wired Network Connection…

Example Static IP Wired Network Settings (substitute your own network settings):

IP Address: 192.168.1.101
Subnet Mask: 24 (255.255.255.0)
Gateway: 192.168.1.1
DNS Server: 1.1.1.1

Steps:

1. Network → Wired : Enables your Wired network and generate nic router component with a /config/managed/nic_router config file.

2. Components → ram fs → Inspect : Enables a terminal interface for accessing your filesystem.

3. Inspect : Switch from Components to Inspect to access the terminal, which should show the inspect:/> prompt.

4. cp /config/managed/nic_router /config/nic_router : Copies the system managed nic_router config file where you can manage/edit your own to override the system’s nic_router config.

cp /config/managed/nic_router /config/nic_router

For reference, here is the contents of my default/unmodified nic_router config file in Sculpt 25.04:

View File

<config verbose_domain_state="yes">
  <report interval_sec="5" bytes="yes" config="yes" config_triggers="yes"/>
  <default-policy domain="default"/>
  <policy label_prefix="nic -> " domain="uplink"/>
  <domain name="uplink">
    <nat domain="default" tcp-ports="1000" udp-ports="1000" icmp-ids="1000"/>
    <tcp-forward port="80" domain="http" to="10.0.80.2"/>
    <tcp-forward port="23" domain="telnet" to="10.0.23.2"/>
    <tcp-forward port="9999" domain="gdb" to="10.0.99.2"/>
    <tcp-forward port="5900" domain="vnc" to="10.0.59.2"/>
  </domain>
  <domain name="default" interface="10.0.1.1/24">
    <dhcp-server ip_first="10.0.1.2" ip_last="10.0.1.200" dns_config_from="uplink"/>
    <tcp dst="0.0.0.0/0">
      <permit-any domain="uplink"/>
    </tcp>
    <udp dst="0.0.0.0/0">
      <permit-any domain="uplink"/>
    </udp>
    <icmp dst="0.0.0.0/0" domain="uplink"/>
  </domain>
  <policy label="http" domain="http"/>
  <domain name="http" interface="10.0.80.1/24">
    <dhcp-server ip_first="10.0.80.2" ip_last="10.0.80.2" dns_config_form="uplink"/>
  </domain>
  <policy label="telnet" domain="telnet"/>
  <domain name="telnet" interface="10.0.23.1/24">
    <dhcp-server ip_first="10.0.23.2" ip_last="10.0.23.2" dns_config_form="uplink"/>
  </domain>
  <policy label="gdb" domain="gdb"/>
  <domain name="gdb" interface="10.0.99.1/24">
    <dhcp-server ip_first="10.0.99.2" ip_last="10.0.99.2" dns_config_form="uplink"/>
  </domain>
  <policy label="vnc" domain="vnc"/>
  <domain name="vnc" interface="10.0.59.1/24">
    <dhcp-server ip_first="10.0.59.2" ip_last="10.0.59.2" dns_config_form="uplink"/>
  </domain>
</config>

5. Files → config → nic_router → Edit : Starts editing your /config/nic_router file.

6. Find and change the line with <domain name="uplink"> to <domain name="uplink" interface="192.168.1.101/24" gateway="192.168.1.1"> where you substitute in your own IP Address, Subnet Mask, and Gateway.

<domain name="uplink" interface="192.168.1.101/24" gateway="192.168.1.1">

7. Manual DNS Server : This step may be optional depending on your network’s DNS settings… If you have an explicitly defined DNS Server for your machine to use that is not automatically provided by your uplink network, then…

Find the line under <domain name="default" with <dhcp-server ip_first="10.0.1.2" ip_last="10.0.1.200" dns_config_from="uplink"/> and change it into the following multiple lines:

If using a DNS Server IP Address, then:

<dhcp-server ip_first="10.0.1.2" ip_last="10.0.1.200">
  <dns-server ip="1.1.1.1"/>
</dhcp-server>

If using a DNS Server Domain Name, then:

<dhcp-server ip_first="10.0.1.2" ip_last="10.0.1.200">
  <dns-domain name="genodians.org"/>
</dhcp-server>

…where you substitute in your own provider’s DNS Server IP (ip=) or Domain (name=).

Note: In the first dhcp-server line, be sure to remove the ending slash-bracket /> and make it only a bracket > or else this will cause your XML configuration to be invalid.

8. Press Save button : Saves and enables your new configuration.

9. Network → Off → Wired : Turn Off and On and your Wired network to ensure use of your new network settings.

Check that the Sculpt Network dialog is showing your IP Address under the buttons, such as “192.168.1.101/24”, and that the only buttons showing are Off and Wired as the other buttons should have disappeared.

For reference, here is a full copy of my modified and working /config/nic_router config file:

View File

<config verbose_domain_state="yes">
  <report interval_sec="5" bytes="yes" config="yes" config_triggers="yes"/>
  <default-policy domain="default"/>
  <policy label_prefix="nic -> " domain="uplink"/>
  <domain name="uplink" interface="192.168.1.101/24" gateway="192.168.1.1">
    <nat domain="default" tcp-ports="1000" udp-ports="1000" icmp-ids="1000"/>
    <tcp-forward port="80" domain="http" to="10.0.80.2"/>
    <tcp-forward port="23" domain="telnet" to="10.0.23.2"/>
    <tcp-forward port="9999" domain="gdb" to="10.0.99.2"/>
    <tcp-forward port="5900" domain="vnc" to="10.0.59.2"/>
  </domain>
  <domain name="default" interface="10.0.1.1/24">
    <dhcp-server ip_first="10.0.1.2" ip_last="10.0.1.200" dns_config_from="uplink">
      <dns-server ip="1.1.1.1"/>
    </dhcp-server>
    <tcp dst="0.0.0.0/0">
      <permit-any domain="uplink"/>
    </tcp>
    <udp dst="0.0.0.0/0">
      <permit-any domain="uplink"/>
    </udp>
    <icmp dst="0.0.0.0/0" domain="uplink"/>
  </domain>
  <policy label="http" domain="http"/>
  <domain name="http" interface="10.0.80.1/24">
    <dhcp-server ip_first="10.0.80.2" ip_last="10.0.80.2" dns_config_form="uplink"/>
  </domain>
  <policy label="telnet" domain="telnet"/>
  <domain name="telnet" interface="10.0.23.1/24">
    <dhcp-server ip_first="10.0.23.2" ip_last="10.0.23.2" dns_config_form="uplink"/>
  </domain>
  <policy label="gdb" domain="gdb"/>
  <domain name="gdb" interface="10.0.99.1/24">
    <dhcp-server ip_first="10.0.99.2" ip_last="10.0.99.2" dns_config_form="uplink"/>
  </domain>
  <policy label="vnc" domain="vnc"/>
  <domain name="vnc" interface="10.0.59.1/24">
    <dhcp-server ip_first="10.0.59.2" ip_last="10.0.59.2" dns_config_form="uplink"/>
  </domain>
</config>

Enjoy!

jjkarcher · August 18, 2025, 3:47am

It’s been a while since I’ve looked at this (so the Genode guys can correct me if I’m wrong), but I don’t think there is any requirement to use GitHub. At the recommendation from several people in this forum, I created an account at Codeberg.org to house my personal projects and (when the glorious day arrives that I have something valuable to contribute) my Genodians repo. (Many of us here have similar concerns in this area.)

For what it’s worth…

jschlatow · August 18, 2025, 5:22am

Correct. The only requirement is that the content is downloadable as a zip archive.

Qnode · August 19, 2025, 12:30pm

@jjkarcher & @jschlatow

Thank you both for your encouragement to post onto the Genodians blog! If it can be made feasible, then I’d be happy to do so.

I did originally see in the README of the genodians.org repository that states GitHub is preferred but not required…

"Each author maintains his/her own content, preferably in a public git repository. You may take a look at [https://github.com/nfeske/genodian] as an example."

Further Issues:

However, it was the mention of these 2 policies that made me turn away…

"Please open an issue at [https://github.com/genodelabs/genodians.org] and provide the following information:"

I presume that this step of opening a new GitHub issue would require a GitHub account? Although, I’d reasonably presume an alternative means of messaging the right person could likely be acceptable to initiating a valid blog post.

* Your real name. It will be displayed aside your articles. Pseudonyms are not accepted.

This absolute statement that articles cannot be published with psedonyms, and would be rejected, is the strongest barrier. As I’m going by the name “Qnode” for now, this is the primary issue.

I’m still happy if others would like to refactor my present or future step-by-step guides into Genodians blog posts.

Thanks!

G0retZ · February 13, 2026, 11:56pm

Reading through the nic_router Readme and this topic I was able to make a static setup for my system. I find the nic_router approach much simpler and easier to manage than iptables, rf etc. I’d have to say I love it!

Though I have 3 questions about it. And I will use the config example provided here with some change.

Scenario: A server with static address that is connected to LAN with it’s own router, that is used as a gateway. So server doesn’t route any traffic between real networks.

Config

<config verbose_domain_state="yes">
  <report interval_sec="5" bytes="yes" config="yes" config_triggers="yes"/>
  <default-policy domain="default"/>
  <policy label_prefix="nic -> " domain="uplink"/>
  <domain name="uplink" interface="192.168.1.123/24" gateway="192.168.1.1">
    <nat domain="default" tcp-ports="1000" udp-ports="1000" icmp-ids="1000"/>
    <tcp-forward port="80" domain="http" to="10.0.80.2"/>
    <tcp-forward port="23" domain="telnet" to="10.0.23.2"/>
    <tcp-forward port="9999" domain="gdb" to="10.0.99.2"/>
    <tcp-forward port="5900" domain="vnc" to="10.0.59.2"/>
  </domain>
  <domain name="default" interface="10.0.1.1/24">
    <dhcp-server ip_first="10.0.1.2" ip_last="10.0.1.200" dns_config_from="uplink"/>
    <tcp dst="0.0.0.0/0">
      <permit-any domain="uplink"/>
    </tcp>
    <udp dst="0.0.0.0/0">
      <permit-any domain="uplink"/>
    </udp>
    <icmp dst="0.0.0.0/0" domain="uplink"/>
  </domain>
  <policy label="http" domain="http"/>
  <domain name="http" interface="10.0.80.1/24">
    <dhcp-server ip_first="10.0.80.2" ip_last="10.0.80.2" dns_config_form="uplink"/>
  </domain>
  <policy label="telnet" domain="telnet"/>
  <domain name="telnet" interface="10.0.23.1/24">
    <dhcp-server ip_first="10.0.23.2" ip_last="10.0.23.2" dns_config_form="uplink"/>
  </domain>
  <policy label="gdb" domain="gdb"/>
  <domain name="gdb" interface="10.0.99.1/24">
    <dhcp-server ip_first="10.0.99.2" ip_last="10.0.99.2" dns_config_form="uplink"/>
  </domain>
  <policy label="vnc" domain="vnc"/>
  <domain name="vnc" interface="10.0.59.1/24">
    <dhcp-server ip_first="10.0.59.2" ip_last="10.0.59.2" dns_config_form="uplink"/>
  </domain>
</config>

DNS configuration.

First question is DNS, setup is not fully clear to me. I want to setup specific DNS servers for uplink domain, just like static address/gateway setup is done. In the similar manner it is done in any other OS. So all other domains that use dns servers from uplink will get the same, but I don’t want to run DHCP server on uplink to avoid conflicts with the gateway in LAN.

How is it done properly with nic_router?

Dropping packages

I want to drop packages (opening connections) from gateway to my server, so only LAN clients could connect to its services. But I can’t find any setting to explicitly drop or block packages on tcp-forward or tcp tags. Should I do that in target domain by permitting source IP range without the router address?
If yes, wouldn’t the tcp-forward have a negative impact on network performance or introduce CPU overhead (by routing packages to the domain, that will drop them afterwards anyway)?

Security

As far as I see, the default domain is specified for all connections, unless specified otherwise. But these lines in Readme make me concerned about the network security of nic_router:

* Acting as hub among NIC and Uplink sessions of the same domain
...
If a network packet must be sent at a domain, it is always sent at all
interfaces assigned that domain. If a network packet from a domain addresses a
host in the same IPv4 subnet and it's not the routers IPv4 peer in that domain,
the packet is again sent at all interfaces assigned that domain.

This means, that any interface, that is assigned to the default domain will receive all network packages addressed to any interface in that domain.

Imaging I’m running a browser (not trusted) for google-only ecosystem with it’s own recall_fs and another browser (not trusted) with a banking app or something else, and that I don’t to want expose them to each other.
Now if they both in the same domain, they both will receive all network packages addressed to any interface.

Taking into account the infamous google ability to collect user data and metadada this gives power to google or any component to spy on what other components in the same domain doing in network. Despite of traffic being encrypted, the basic metadata (mac&ip addresses, ports, headers?) is not, and it can tell a lot about the user of the system…

How to mitigate this risk? Should I specify a dedicated policy and domain for each component that I want to run isolated from other components? Or how should it be done?

jschlatow · February 16, 2026, 12:25pm

As far as I know, the only way to achieve a static DNS config for every domain is to specify it for each domain separately. The dns_config_from_uplink only works for the case in which uplink gets its DNS config via DHCP.

Note that the tcp and tcp-forward configurations only affect packets that come from interfaces of the domain in which they are specified. I.e. packets forwarded from uplink to default are unaffected by any tcp rule specified in default. I believe, for your use case, you could replace the tcp-forward by a tcp rule and only route packets to the default domain that are destined for the LAN IP of your uplink interface.

That would be the way.

G0retZ · February 16, 2026, 1:40pm

Thanks for the answers!

So essentially there’s no way to specify DNS servers without starting a dhcp-server in a domain, right?

Good to know, that tcp and tcp-forward affect only packets originated from the same domain, but not routed ones from another domain. I saw the “Domain-local IP traffic” in the documentation but didn’t get that it excludes the routed traffic from other domains. Btw, is NAT-ed traffic counted as “Domain-Local IP traffic”?

My goal is to not allow LAN router establish VNC connection to my server, because it’s not trusted by me (providers’ hardware without my access to it’s configuration). I might tin-foil-hatting here, but still… Essentially what I’m trying to do is to blacklist a source IP address (or range). I just can’t figure out how to solve this case with nic_router instruments.

I don’t see any rules that use the source IP address of a package… Also I didn’t get how a package would be routed to vnc domain from uplink if I replace tcp-forward with tcp.

Could you please share with me a simplified example of a config that black-lists or white-lists connections from LAN (uplink) to some service domain (vnc) by source IP?

Ok, got it, no default isolation for arbitrary dynamically added components for now, can live with that, not a big issue Just need to keep in mind, that default-policy domain is not meant for security sensitive components (like browser with banking web app open)

jschlatow · February 16, 2026, 1:58pm

Right.

Unfortunately, the existing mechanisms only allow routing by destination IP.

Well…as the web app uses encrypted communication with your browser, I am not too concerned about the packets being observable by another client. It’s similar to how every piece of network equipment along the routing path to your bank’s server can observe your encrypted communication. If you are concerned with leaking meta data, however, separating the clients in different domains will be the safe way.

Nevertheless, getting access to the raw packets from another client can be a challenge on its own. If a client component follows the beaten track of integrating an IP stack as a VFS plugin, I believe, there is no (intended) way to get access to the raw packets as the IP stack will drop every packet that is not intended for any open socket.

G0retZ · February 16, 2026, 2:16pm

Thanks a lot for your answers!

Would be happy to see this feature! Still, amazing work on the nic_router

Yeah, you’re right! It can happen on any routing level and is a challenge of a bigger scale. Though, I wouldn’t rely on “fair play” of third party components, assuming they implement IP stack as VFS plugin.

So I will follow isolation-by-domain path to be safe, thank you!