# VMM on Home Workstation/Router This guide assumes you have referred to the [Vmm Configuration](Vmm/Configure) guide and read the [[OpenBSD FAQ](/https://www.openbsd.org/faq/faq16.html#VMMnet). This guide assumes you have referred to the [Vmm Configuration](Vmm/Configure) guide and read the [[OpenBSD FAQ](/https://www.openbsd.org/faq/faq16.html#VMMnet). In the setup below, re1 is connected to a router that provides NAT and DHCP. re0 is a second interface card on the computer, which provides internet acces to other devices. re0 will act as a default gateway for other devices on the network, providing them with NAT: $ doas cat /etc/hostname.re0 inet 192.168.1.1 255.255.255.0 192.168.1.255 re1 uses DHCP itself to get an IP address from the default gateway 192.168.0.1: $ doas cat /etc/hostname.re1 dhcp As we see later, re1 is assigned the IP address 192.168.0.8 by the DHCP server. re1 and the virtual machines are bridged via bridge0: $ doas cat /etc/hostname.bridge0 add re1 up The virtual machines are placed on a switch that connects to bridge0: $ doas cat /etc/vm.conf socket owner :vmdusers switch "switch0" { interface bridge0 } vm "username" { owner username memory 512M cdrom "/home/username/downloads/software/9front/9front-8593.a cc504c319a4b4188479cfa602e40cb6851c0528.amd64.iso" disk /home/username/username.qcow2 interface { locked lladdr 3a:24:38:91:0e:01 switch "switch0" } vm "username-bsd" { owner username memory 512M cdrom "/home/username/downloads/software/openbsd/install70.iso " disk /home/username/username-bsd.qcow2 interface { locked lladdr 3a:24:38:91:0e:02 switch "switch0" } } $ ifconfig lo0: flags=8049 mtu 32768 index 4 priority 0 llprio 3 groups: lo inet6 ::1 prefixlen 128 inet6 fe80::1%25lo0 prefixlen 64 scopeid 0x4 inet 127.0.0.1 netmask 0xff000000 re0: flags=8843 mtu 15 00 lladdr 00:e0:4c:05:0f:98 index 1 priority 0 llprio 3 media: Ethernet autoselect (100baseTX full-duplex) status: active inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168. 1.255 re1: flags=808b43 mtu 1500 lladdr c0:3f:d5:55:7d:fd index 2 priority 0 llprio 3 groups: egress media: Ethernet autoselect (1000baseT full-duplex) status: active inet 192.168.0.8 netmask 0xffffff00 broadcast 192.168. 0.255 enc0: flags=0<> index 3 priority 0 llprio 3 groups: enc status: active bridge0: flags=41 description: switch1-switch0 index 5 llprio 3 groups: bridge priority 32768 hellotime 2 fwddelay 15 maxage 20 holdc nt 6 proto rstp tap0 flags=3 port 7 ifpriority 0 ifcost 0 re1 flags=3 port 2 ifpriority 0 ifcost 0 pflog0: flags=141 mtu 33136 index 6 priority 0 llprio 3 groups: pflog tap0: flags=8943 mtu 1500 lladdr fe:e1:ba:d0:e8:b0 description: vm1-if0-username-bsd index 7 priority 0 llprio 3 groups: tap status: active $ doas cat /etc/sysctl.conf net.inet.ip.forwarding=1 net.inet6.ip6.forwarding=1 kern.audio.record=1 net.inet.ip.arpq.maxlen=1024 In the firewall, we skip tap0 and bridge0 because the antispoof and block all rules are filtering the packets. The rest of the firewall rules come from [OpenBSD's PF FAQ](/https://www.openbsd.org/faq/pf/example1.html). $ doas cat /etc/pf.conf wired = "re0" wifi = "athn0" table { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0. 0/16 \ 172.16.0.0/12 224.0.0.0/3 198.18.0.0/15 198 .51.100.0/24 \ 203.0.113.0/24 } set block-policy drop set loginterface egress set skip on lo0 set skip on tap0 set skip on bridge0 match in all scrub (no-df random-id max-mss 1440) match out on egress inet from !(egress:network) to any nat-to (egress:0) antispoof quick for { egress $wired $wifi } block in quick on egress from to any block return out quick on egress from any to block all pass out quick inet pass in on { $wired $wifi } inet pass in proto tcp from 192.168.0.0/16 to port ssh