// MacOS Yosemite PF nat configuration log // First, check that the virtual LAN interface vboxnet0 is configured // right and that I can ping my VM from the host MacOS: hedgehog:~ sergey$ ifconfig vboxnet0: flags=8943 mtu 1500 ether 0a:00:27:00:00:00 inet 192.168.56.1 netmask 0xffffff00 broadcast 192.168.56.255 hedgehog:~ sergey$ ping -c3 192.168.56.100 PING 192.168.56.100 (192.168.56.100): 56 data bytes 64 bytes from 192.168.56.100: icmp_seq=0 ttl=64 time=0.339 ms 64 bytes from 192.168.56.100: icmp_seq=1 ttl=64 time=0.575 ms 64 bytes from 192.168.56.100: icmp_seq=2 ttl=64 time=0.716 ms --- 192.168.56.100 ping statistics --- 3 packets transmitted, 3 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 0.339/0.543/0.716/0.156 ms // OK, this works. Now to configure NAT. // Must be root to NAT: hedgehog:~ sergey$ sudo bash // Enable packet forwarding in the kernel: bash-3.2# sysctl -w net.inet.ip.forwarding=1 net.inet.ip.forwarding: 0 -> 1 // Examine existing NAT rules, if any: bash-3.2# pfctl -s nat No ALTQ support in kernel ALTQ related functions disabled nat-anchor "com.apple/*" all rdr-anchor "com.apple/*" all // Clear NAT rules: bash-3.2# pfctl -F nat No ALTQ support in kernel ALTQ related functions disabled nat cleared // Create a new NAT rule, in a file: bash-3.2# echo "nat on en0 from 192.168.56.0/24 to any -> (en0)" > nat.rules // Deploy the new NAT rule! // Meaning: any packet from 192.168.56/24 attempting to go out (to any IP) on en0 // will have its src IP rewritten to that of en0. bash-3.2# pfctl -f nat.rules -e pfctl: Use of -f option, could result in flushing of rules present in the main ruleset added by the system at startup. See /etc/pf.conf for further details. No ALTQ support in kernel ALTQ related functions disabled pf enabled // Check that the rule took: bash-3.2# pfctl -s nat No ALTQ support in kernel ALTQ related functions disabled nat on en0 inet from 192.168.56.0/24 to any -> (en0) round-robin // BUT, ping out to 8.8.8.8 from the VM _still_ doesn't work! What gives? // Let's look at the available interfaces: maybe en0 is not the one my Mac // is currently using to send packets out to the Internet? bash-3.2# ifconfig en0 en0: flags=8863 mtu 1500 options=10b ether 68:5b:35:7f:e7:a4 nd6 options=1 media: autoselect (none) status: inactive // Aha, no IP address above. Indeed, I am connected not via en0 (my wired Ethernet) // but my Wi-Fi, en1: bash-3.2# ifconfig en1 en1: flags=8863 mtu 1500 ether a8:bb:cf:18:29:a6 inet6 fe80::aabb:cfff:fe18:29a6%en1 prefixlen 64 scopeid 0x6 inet 192.168.1.39 netmask 0xffffff00 broadcast 192.168.1.255 nd6 options=1 media: autoselect status: active // So I need to change the above NAT rule to en1. First removing (flushing, // hence -F) the existing rule: bash-3.2# pfctl -F nat No ALTQ support in kernel ALTQ related functions disabled nat cleared // Changing the rule: bash-3.2# echo "nat on en1 from 192.168.56.0/24 to any -> (en1)" > nat.rules // And deploying it! bash-3.2# pfctl -f nat.rules -e pfctl: Use of -f option, could result in flushing of rules present in the main ruleset added by the system at startup. See /etc/pf.conf for further details. No ALTQ support in kernel ALTQ related functions disabled pfctl: pf already enabled // Now I can ping 8.8.8.8 from the VM! // I can sniff vboxnet0 like any other interface, and see the // ping packets (and ARP, too): bash-3.2# tcpdump -i vboxnet0 -n tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on vboxnet0, link-type EN10MB (Ethernet), capture size 65535 bytes 21:40:26.050277 IP 192.168.56.100 > 8.8.8.8: ICMP echo request, id 2650, seq 1, length 64 21:40:27.068322 IP 192.168.56.100 > 8.8.8.8: ICMP echo request, id 2650, seq 2, length 64 21:40:28.092126 IP 192.168.56.100 > 8.8.8.8: ICMP echo request, id 2650, seq 3, length 64 21:40:29.116194 IP 192.168.56.100 > 8.8.8.8: ICMP echo request, id 2650, seq 4, length 64 21:40:30.139993 IP 192.168.56.100 > 8.8.8.8: ICMP echo request, id 2650, seq 5, length 64 21:40:31.132084 ARP, Request who-has 192.168.56.1 tell 192.168.56.100, length 46 21:40:31.132136 ARP, Reply 192.168.56.1 is-at 0a:00:27:00:00:00, length 28 21:40:31.164658 IP 192.168.56.100 > 8.8.8.8: ICMP echo request, id 2650, seq 6, length 64 21:40:32.188814 IP 192.168.56.100 > 8.8.8.8: ICMP echo request, id 2650, seq 7, length 64 21:40:33.212142 IP 192.168.56.100 > 8.8.8.8: ICMP echo request, id 2650, seq 8, length 64 21:40:34.236687 IP 192.168.56.100 > 8.8.8.8: ICMP echo request, id 2650, seq 9, length 64 ^C 11 packets captured 12 packets received by filter 0 packets dropped by kernel