+--------------------+
                              | rules from QubesDB |
                              +--------------------+
                                        ^
                          if-not-in-nat | then check
                                        |
                                  +-----------+
                                  | nat-table |
                                  +-----------+
                                        ^
                                        |checks
                                        |
               +------------+     +-----+----+
    work <---->|            +---->| firewall |<--------.
               |            |     +-----+----+         |
               |            |           |         +----+---+
   [...] <---->| client_net |           |         | uplink |<----> sys-net
               |            |           v         +--------+
               |            |     +----------+         ^
personal <---->|            |<----+  router  +---------'
               +------+-----+     +----------+
                      |
                      |monitors
                      v
                   XenStore
                    (dom0)