VMM on Home Workstation/Router
This guide assumes you have referred to the Vmm Configuration guide and read the OpenBSD FAQ.
In the setup below, re1 is connected to a router that provides NAT and DHCP. re0 is a second interface card on the computer, which provides internet acces to other devices.
re0 will act as a default gateway for other devices on the network, providing them with NAT:
$ doas cat /etc/hostname.re0 inet 192.168.1.1 255.255.255.0 192.168.1.255
re1 uses DHCP itself to get an IP address from the default gateway 192.168.0.1:
$ doas cat /etc/hostname.re1 dhcp
As we see later, re1 is assigned the IP address 192.168.0.8 by the DHCP server.
re1 and the virtual machines are bridged via bridge0:
$ doas cat /etc/hostname.bridge0 add re1 up
The virtual machines are placed on a switch that connects to bridge0:
$ doas cat /etc/vm.conf
socket owner :vmdusers
switch "switch0" {
interface bridge0
}
vm "username" {
owner username
memory 512M
cdrom "/home/username/downloads/software/9front/9front-8593.a
cc504c319a4b4188479cfa602e40cb6851c0528.amd64.iso"
disk /home/username/username.qcow2
interface {
locked lladdr 3a:24:38:91:0e:01
switch "switch0"
}
vm "username-bsd" {
owner username
memory 512M
cdrom "/home/username/downloads/software/openbsd/install70.iso
"
disk /home/username/username-bsd.qcow2
interface {
locked lladdr 3a:24:38:91:0e:02
switch "switch0"
}
}
$ ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 32768
index 4 priority 0 llprio 3
groups: lo
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
inet 127.0.0.1 netmask 0xff000000
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 15
00
lladdr 00:e0:4c:05:0f:98
index 1 priority 0 llprio 3
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.
1.255
re1: flags=808b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLE
X,MULTICAST,AUTOCONF4> mtu 1500
lladdr c0:3f:d5:55:7d:fd
index 2 priority 0 llprio 3
groups: egress
media: Ethernet autoselect (1000baseT full-duplex)
status: active
inet 192.168.0.8 netmask 0xffffff00 broadcast 192.168.
0.255
enc0: flags=0<>
index 3 priority 0 llprio 3
groups: enc
status: active
bridge0: flags=41<UP,RUNNING>
description: switch1-switch0
index 5 llprio 3
groups: bridge
priority 32768 hellotime 2 fwddelay 15 maxage 20 holdc
nt 6 proto rstp
tap0 flags=3<LEARNING,DISCOVER>
port 7 ifpriority 0 ifcost 0
re1 flags=3<LEARNING,DISCOVER>
port 2 ifpriority 0 ifcost 0
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33136
index 6 priority 0 llprio 3
groups: pflog
tap0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAS
T> mtu 1500
lladdr fe:e1:ba:d0:e8:b0
description: vm1-if0-username-bsd
index 7 priority 0 llprio 3
groups: tap
status: active
$ doas cat /etc/sysctl.conf net.inet.ip.forwarding=1 net.inet6.ip6.forwarding=1 kern.audio.record=1 net.inet.ip.arpq.maxlen=1024
In the firewall, we skip tap0 and bridge0 because the antispoof and block all rules are filtering the packets. The rest of the firewall rules come from OpenBSD's PF FAQ.
$ doas cat /etc/pf.conf
wired = "re0"
wifi = "athn0"
table <martians> { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.
0/16 \
172.16.0.0/12 224.0.0.0/3 198.18.0.0/15 198
.51.100.0/24 \
203.0.113.0/24 }
set block-policy drop
set loginterface egress
set skip on lo0
set skip on tap0
set skip on bridge0
match in all scrub (no-df random-id max-mss 1440)
match out on egress inet from !(egress:network) to any nat-to
(egress:0)
antispoof quick for { egress $wired $wifi }
block in quick on egress from <martians> to any
block return out quick on egress from any to <martians>
block all
pass out quick inet
pass in on { $wired $wifi } inet
pass in proto tcp from 192.168.0.0/16 to port ssh