Nat /

Configure NAT inside VMM

Network address translation? can be configured for virtual machines run inside vmm.

First, in the hypervisor, we configure the proper interfaces:

# cat /etc/hostname.veb0
add tap0
add vport0
# cat /etc/hostname.vport0
inet 0xffffff00
# cat /etc/vm.conf
socket owner :vmdusers

switch "switch0" {
    locked lladdr
    interface veb0


vm "user" {
    owner user
    memory 2G
    cdrom $bsdiso
    disk /home/user/user.qcow2 format qcow2
    interface tap0 { 
        locked lladdr ab:cd:ef:01:23:45
        switch "switch0"
# cat /etc/sysctl.conf

In the virtual machine:

$ cat /etc/hostname.vio0
inet 0xffffff00

Packet Filter

Finally, we add this line inside /etc/pf.conf:

match out on egress from !(egress:network) to any nat-to (egress:0)

This rule matches packets that leave out on the egress (any interface that can reach the default route). It applies only to packets that come from a network that doesn't match the egress's network. If those conditions are met, we automatically perform NAT to the non-aliased IP address of egress.

Bi-directional NAT

If you want to provide public services, bi-directional NAT can provide a 1-to-1 mapping of ports between the public and internal IP address:

match on egress from to any binat-to

Replace with your actual, public IP.