version=pmwiki-2.2.130 ordered=1 urlencoded=1 agent=w3m/0.5.3+git20210102 author=jrmu charset=UTF-8 csum= ctime=1635268100 host=38.87.162.8 name=Vmm.Homerouter rev=1 targets=Vmm.Configure text=(:title VMM on Home Workstation/Router:)%0a%0aThis guide assumes you have referred to the [[Vmm/Configure|Vmm Configuration]] guide and read the [[https://www.openbsd.org/faq/faq16.html#VMMnet|OpenBSD FAQ]].%0a%0aIn the setup below, re1 is connected to a router%0athat provides NAT and DHCP. re0 is a second interface%0acard on the computer, which provides internet%0aacces to other devices.%0a%0are0 will act as a default gateway for other devices%0aon the network, providing them with NAT:%0a%0a[@%0a$ doas cat /etc/hostname.re0%0ainet 192.168.1.1 255.255.255.0 192.168.1.255%0a@]%0a%0are1 uses DHCP itself to get an IP address from %0athe default gateway 192.168.0.1:%0a%0a[@%0a$ doas cat /etc/hostname.re1%0adhcp%0a@]%0a%0aAs we see later, re1 is assigned the IP address%0a192.168.0.8 by the DHCP server.%0a%0are1 and the virtual machines are bridged via%0abridge0:%0a%0a[@%0a$ doas cat /etc/hostname.bridge0%0aadd re1%0aup%0a@]%0a%0aThe virtual machines are placed on a switch that connects%0ato bridge0:%0a%0a[@%0a$ doas cat /etc/vm.conf%0asocket owner :vmdusers%0a%0aswitch "switch0" {%0a interface bridge0%0a}%0a%0avm "username" {%0a owner username%0a memory 512M%0a cdrom "/home/username/downloads/software/9front/9front-8593.a%0acc504c319a4b4188479cfa602e40cb6851c0528.amd64.iso"%0a disk /home/username/username.qcow2%0a interface {%0a locked lladdr 3a:24:38:91:0e:01%0a switch "switch0"%0a}%0avm "username-bsd" {%0a owner username%0a memory 512M%0a cdrom "/home/username/downloads/software/openbsd/install70.iso%0a"%0a disk /home/username/username-bsd.qcow2%0a interface {%0a locked lladdr 3a:24:38:91:0e:02%0a switch "switch0"%0a }%0a}%0a@]%0a%0a[@%0a$ ifconfig%0alo0: flags=8049%3cUP,LOOPBACK,RUNNING,MULTICAST> mtu 32768%0a index 4 priority 0 llprio 3%0a groups: lo%0a inet6 ::1 prefixlen 128%0a inet6 fe80::1%25lo0 prefixlen 64 scopeid 0x4%0a inet 127.0.0.1 netmask 0xff000000%0are0: flags=8843%3cUP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 15%0a00%0a lladdr 00:e0:4c:05:0f:98%0a index 1 priority 0 llprio 3%0a media: Ethernet autoselect (100baseTX full-duplex)%0a status: active%0a inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.%0a1.255%0are1: flags=808b43%3cUP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLE%0aX,MULTICAST,AUTOCONF4> mtu 1500%0a lladdr c0:3f:d5:55:7d:fd%0a index 2 priority 0 llprio 3%0a groups: egress%0a media: Ethernet autoselect (1000baseT full-duplex)%0a status: active%0a inet 192.168.0.8 netmask 0xffffff00 broadcast 192.168.%0a0.255%0aenc0: flags=0%3c>%0a index 3 priority 0 llprio 3%0a groups: enc%0a status: active%0abridge0: flags=41%3cUP,RUNNING>%0a description: switch1-switch0%0a index 5 llprio 3%0a groups: bridge%0a priority 32768 hellotime 2 fwddelay 15 maxage 20 holdc%0ant 6 proto rstp%0a tap0 flags=3%3cLEARNING,DISCOVER>%0a port 7 ifpriority 0 ifcost 0%0a re1 flags=3%3cLEARNING,DISCOVER>%0a port 2 ifpriority 0 ifcost 0%0apflog0: flags=141%3cUP,RUNNING,PROMISC> mtu 33136%0a index 6 priority 0 llprio 3%0a groups: pflog%0atap0: flags=8943%3cUP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAS%0aT> mtu 1500%0a lladdr fe:e1:ba:d0:e8:b0%0a description: vm1-if0-username-bsd%0a index 7 priority 0 llprio 3%0a groups: tap%0a status: active%0a@]%0a%0a[@%0a$ doas cat /etc/sysctl.conf%0anet.inet.ip.forwarding=1%0anet.inet6.ip6.forwarding=1%0akern.audio.record=1%0anet.inet.ip.arpq.maxlen=1024%0a@]%0a%0aIn the firewall, we skip tap0 and bridge0 because the antispoof and block all rules are filtering the packets. The rest of the firewall rules come from [[https://www.openbsd.org/faq/pf/example1.html|OpenBSD's PF FAQ]].%0a%0a[@%0a$ doas cat /etc/pf.conf%0awired = "re0"%0awifi = "athn0"%0atable %3cmartians> { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.%0a0/16 \%0a 172.16.0.0/12 224.0.0.0/3 198.18.0.0/15 198%0a.51.100.0/24 \%0a 203.0.113.0/24 }%0aset block-policy drop%0aset loginterface egress%0aset skip on lo0%0aset skip on tap0%0aset skip on bridge0%0amatch in all scrub (no-df random-id max-mss 1440)%0amatch out on egress inet from !(egress:network) to any nat-to%0a(egress:0)%0aantispoof quick for { egress $wired $wifi }%0ablock in quick on egress from %3cmartians> to any%0ablock return out quick on egress from any to %3cmartians>%0ablock all%0apass out quick inet%0apass in on { $wired $wifi } inet%0apass in proto tcp from 192.168.0.0/16 to port ssh%0a@]%0a time=1635268100 title=VMM on Home Workstation/Router author:1635268100=jrmu diff:1635268100:1635268100:=1,157d0%0a%3c (:title VMM on Home Workstation/Router:)%0a%3c %0a%3c This guide assumes you have referred to the [[Vmm/Configure|Vmm Configuration]] guide and read the [[https://www.openbsd.org/faq/faq16.html#VMMnet|OpenBSD FAQ]].%0a%3c %0a%3c In the setup below, re1 is connected to a router%0a%3c that provides NAT and DHCP. re0 is a second interface%0a%3c card on the computer, which provides internet%0a%3c acces to other devices.%0a%3c %0a%3c re0 will act as a default gateway for other devices%0a%3c on the network, providing them with NAT:%0a%3c %0a%3c [@%0a%3c $ doas cat /etc/hostname.re0%0a%3c inet 192.168.1.1 255.255.255.0 192.168.1.255%0a%3c @]%0a%3c %0a%3c re1 uses DHCP itself to get an IP address from %0a%3c the default gateway 192.168.0.1:%0a%3c %0a%3c [@%0a%3c $ doas cat /etc/hostname.re1%0a%3c dhcp%0a%3c @]%0a%3c %0a%3c As we see later, re1 is assigned the IP address%0a%3c 192.168.0.8 by the DHCP server.%0a%3c %0a%3c re1 and the virtual machines are bridged via%0a%3c bridge0:%0a%3c %0a%3c [@%0a%3c $ doas cat /etc/hostname.bridge0%0a%3c add re1%0a%3c up%0a%3c @]%0a%3c %0a%3c The virtual machines are placed on a switch that connects%0a%3c to bridge0:%0a%3c %0a%3c [@%0a%3c $ doas cat /etc/vm.conf%0a%3c socket owner :vmdusers%0a%3c %0a%3c switch "switch0" {%0a%3c interface bridge0%0a%3c }%0a%3c %0a%3c vm "username" {%0a%3c owner username%0a%3c memory 512M%0a%3c cdrom "/home/username/downloads/software/9front/9front-8593.a%0a%3c cc504c319a4b4188479cfa602e40cb6851c0528.amd64.iso"%0a%3c disk /home/username/username.qcow2%0a%3c interface {%0a%3c locked lladdr 3a:24:38:91:0e:01%0a%3c switch "switch0"%0a%3c }%0a%3c vm "username-bsd" {%0a%3c owner username%0a%3c memory 512M%0a%3c cdrom "/home/username/downloads/software/openbsd/install70.iso%0a%3c "%0a%3c disk /home/username/username-bsd.qcow2%0a%3c interface {%0a%3c locked lladdr 3a:24:38:91:0e:02%0a%3c switch "switch0"%0a%3c }%0a%3c }%0a%3c @]%0a%3c %0a%3c [@%0a%3c $ ifconfig%0a%3c lo0: flags=8049%3cUP,LOOPBACK,RUNNING,MULTICAST> mtu 32768%0a%3c index 4 priority 0 llprio 3%0a%3c groups: lo%0a%3c inet6 ::1 prefixlen 128%0a%3c inet6 fe80::1%25lo0 prefixlen 64 scopeid 0x4%0a%3c inet 127.0.0.1 netmask 0xff000000%0a%3c re0: flags=8843%3cUP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 15%0a%3c 00%0a%3c lladdr 00:e0:4c:05:0f:98%0a%3c index 1 priority 0 llprio 3%0a%3c media: Ethernet autoselect (100baseTX full-duplex)%0a%3c status: active%0a%3c inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.%0a%3c 1.255%0a%3c re1: flags=808b43%3cUP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLE%0a%3c X,MULTICAST,AUTOCONF4> mtu 1500%0a%3c lladdr c0:3f:d5:55:7d:fd%0a%3c index 2 priority 0 llprio 3%0a%3c groups: egress%0a%3c media: Ethernet autoselect (1000baseT full-duplex)%0a%3c status: active%0a%3c inet 192.168.0.8 netmask 0xffffff00 broadcast 192.168.%0a%3c 0.255%0a%3c enc0: flags=0%3c>%0a%3c index 3 priority 0 llprio 3%0a%3c groups: enc%0a%3c status: active%0a%3c bridge0: flags=41%3cUP,RUNNING>%0a%3c description: switch1-switch0%0a%3c index 5 llprio 3%0a%3c groups: bridge%0a%3c priority 32768 hellotime 2 fwddelay 15 maxage 20 holdc%0a%3c nt 6 proto rstp%0a%3c tap0 flags=3%3cLEARNING,DISCOVER>%0a%3c port 7 ifpriority 0 ifcost 0%0a%3c re1 flags=3%3cLEARNING,DISCOVER>%0a%3c port 2 ifpriority 0 ifcost 0%0a%3c pflog0: flags=141%3cUP,RUNNING,PROMISC> mtu 33136%0a%3c index 6 priority 0 llprio 3%0a%3c groups: pflog%0a%3c tap0: flags=8943%3cUP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAS%0a%3c T> mtu 1500%0a%3c lladdr fe:e1:ba:d0:e8:b0%0a%3c description: vm1-if0-username-bsd%0a%3c index 7 priority 0 llprio 3%0a%3c groups: tap%0a%3c status: active%0a%3c @]%0a%3c %0a%3c [@%0a%3c $ doas cat /etc/sysctl.conf%0a%3c net.inet.ip.forwarding=1%0a%3c net.inet6.ip6.forwarding=1%0a%3c kern.audio.record=1%0a%3c net.inet.ip.arpq.maxlen=1024%0a%3c @]%0a%3c %0a%3c In the firewall, we skip tap0 and bridge0 because the antispoof and block all rules are filtering the packets. The rest of the firewall rules come from [[https://www.openbsd.org/faq/pf/example1.html|OpenBSD's PF FAQ]].%0a%3c %0a%3c [@%0a%3c $ doas cat /etc/pf.conf%0a%3c wired = "re0"%0a%3c wifi = "athn0"%0a%3c table %3cmartians> { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.%0a%3c 0/16 \%0a%3c 172.16.0.0/12 224.0.0.0/3 198.18.0.0/15 198%0a%3c .51.100.0/24 \%0a%3c 203.0.113.0/24 }%0a%3c set block-policy drop%0a%3c set loginterface egress%0a%3c set skip on lo0%0a%3c set skip on tap0%0a%3c set skip on bridge0%0a%3c match in all scrub (no-df random-id max-mss 1440)%0a%3c match out on egress inet from !(egress:network) to any nat-to%0a%3c (egress:0)%0a%3c antispoof quick for { egress $wired $wifi }%0a%3c block in quick on egress from %3cmartians> to any%0a%3c block return out quick on egress from any to %3cmartians>%0a%3c block all%0a%3c pass out quick inet%0a%3c pass in on { $wired $wifi } inet%0a%3c pass in proto tcp from 192.168.0.0/16 to port ssh%0a%3c @]%0a host:1635268100=38.87.162.8