2. NAT, port forwards, and routes

Let guests out, let the host in, and join segments together.

After this lesson you can

- Give a segment egress with nat = true - Expose a guest port on the host with forward - Add an inter-segment route and per-segment dns

Before you start: Segments, leases, and static IPs

Segments are isolated until you say otherwise. nat = true gives the whole segment outbound internet through the userspace NAT engine. A forward { host_port = 12222 to = "alp:22" } publishes a guest port on the host loopback — that is how you SSH into a lab. route { dest = … via = … } teaches a segment the path to another one, and dns { server = … } swaps the built-in resolver for one of your VMs (an AD domain controller, say).

§ 1Exercise: SSH through a forward

Add a forward for guest port 22 and SSH in from the host.

console
# segment "corp" { … forward { host_port = 12222 to = "a:22" } }
vmlab validate && vmlab up
ssh vmlab@localhost -p 12222

Expected result

An SSH session in the guest (the published Alpine templates use user vmlab, password vmlab).

Hint

Forwards bind on the host, so the target guest port needs a listener — Alpine's sshd is up by default; a fresh template of your own may need it provisioned.