• View
• Edit
• History
• Print

Configure NAT inside VMM

Network address translation? can be configured for virtual machines run inside vmm.

First, in the hypervisor, we configure the proper interfaces:

# cat /etc/hostname.veb0
add tap0
add vport0
link1
# cat /etc/hostname.vport0
inet 10.0.5.1 0xffffff00
up
# cat /etc/vm.conf
socket owner :vmdusers

switch "switch0" {
    locked lladdr
    interface veb0
}

bsdiso="/home/iso/install75.iso"

vm "user" {
    owner user
    memory 2G
    cdrom $bsdiso
    disk /home/user/user.qcow2 format qcow2
    interface tap0 { 
        locked lladdr ab:cd:ef:01:23:45
        switch "switch0"
    }
}
# cat /etc/sysctl.conf
net.inet.ip.arpq.maxlen=1024
net.inet.ip.forwarding=1
net.inet6.ip6.forwarding=1

In the virtual machine:

$ cat /etc/hostname.vio0
inet 10.0.5.2 0xffffff00
up

Packet Filter

Finally, we add this line inside /etc/pf.conf:

match out on egress from !(egress:network) to any nat-to (egress:0)

This rule matches packets that leave out on the egress (any interface that can reach the default route). It applies only to packets that come from a network that doesn't match the egress's network. If those conditions are met, we automatically perform NAT to the non-aliased IP address of egress.

Bi-directional NAT

If you want to provide public services, bi-directional NAT can provide a 1-to-1 mapping of ports between the public and internal IP address:

match on egress from 10.0.5.2 to any binat-to 192.168.0.1

Replace 192.168.0.1 with your actual, public IP.