2. NAT, port forwards, and routes
Let guests out, let the host in, and join segments together.
After this lesson you can
- Give a segment egress with nat = true - Expose a guest port on the host with forward - Add an inter-segment route and per-segment dns
Before you start: Segments, leases, and static IPs
Segments are isolated until you say otherwise. nat = true gives the whole segment outbound internet through the userspace NAT engine. A forward { host_port = 12222 to = "alp:22" } publishes a guest port on the host loopback — that is how you SSH into a lab. route { dest = … via = … } teaches a segment the path to another one, and dns { server = … } swaps the built-in resolver for one of your VMs (an AD domain controller, say).
§ 1Exercise: SSH through a forward
Add a forward for guest port 22 and SSH in from the host.
# segment "corp" { … forward { host_port = 12222 to = "a:22" } }
vmlab validate && vmlab up
ssh vmlab@localhost -p 12222
Expected result
An SSH session in the guest (the published Alpine templates use user vmlab, password vmlab).
Hint
Forwards bind on the host, so the target guest port needs a listener — Alpine's sshd is up by default; a fresh template of your own may need it provisioned.