On 2021-05-06, Luke Small <lukensm...@gmail.com> wrote: > I got it working. I have a pretty hefty amount of vether0 and > vether0:network in my pf.conf that I changed to vport0 and vport0:network. > > That fixed every single thing! > > I somehow completely forgot about all the vether0 pf rules which isolates > the the various local systems so VMs are isolated from being able to do > anything malicious to any local systems. > > I silently redirect the VMs' dns and ntp calls to my OpenBSD services to > harden them a bit too. > > -Luke >
Make sure you remember you've done this when you try to debug a DNS problem on the VMs. Recursive and authoritative DNS lookups aren't interchangeable... If you want to force a specific DNS server I recommend blocking others, not silently redirecting.