assuming gns3 OpenBSD KVM guests
We want to reach three internal machines from three different public IPs (hence DNAT), which here would be emulated as follows
192.168.122.91 --> 10.3.3.1 192.168.122.92 --> 10.3.3.2 192.168.122.93 --> 10.3.3.3
We are putting THREE full-nat gateways in between just to better understand the possibilities (and limitations) of such a setup, and to be able to trace the packets at multiple segments, and depending on their direction (DNAT vs. SNAT)
We are defining an additional IP .4 at every step of the chain, just to be able to ping the routers among themselves.
Obviously this can only work if as many gray IPs as you have white IPs.
vpcs*
ip 10.3.3.1/24 10.3.3.254 ip 10.3.3.2/24 10.3.3.254 ip 10.3.3.3/24 10.3.3.254 save
obsd*
echo obsd1 > /etc/myname
echo obsd2 > /etc/myname
echo obsd3 > /etc/myname
vi /etc/hostname.vio0
# obsd1
inet 192.168.122.91/24
inet alias 192.168.122.92/24
inet alias 192.168.122.93/24
inet alias 192.168.122.94/24
# obsd2
inet 10.1.1.1/24
inet alias 10.1.1.2/24
inet alias 10.1.1.3/24
inet alias 10.1.1.4/24
# obsd3
inet 10.2.2.1/24
inet alias 10.2.2.2/24
inet alias 10.2.2.3/24
inet alias 10.2.2.4/24
vi /etc/hostname.vio1
inet 10.1.1.254/24
inet 10.2.2.254/24
inet 10.3.3.254/24
vi /etc/mygate
# obsd3
10.2.2.254
# obsd2
10.1.1.254
# obsd1
192.168.122.1
echo net.inet.ip.forwarding=1 >> /etc/sysctl.conf
mv -i /etc/pf.conf /etc/pf.conf.dist
vi /etc/pf.conf
# obsd1
pass on vio0 from 10.1.1.1 to any binat-to 192.168.122.91
pass on vio0 from 10.1.1.2 to any binat-to 192.168.122.92
pass on vio0 from 10.1.1.3 to any binat-to 192.168.122.93
# obsd2
pass on vio0 from 10.2.2.1 to any binat-to 10.1.1.1
pass on vio0 from 10.2.2.2 to any binat-to 10.1.1.2
pass on vio0 from 10.2.2.3 to any binat-to 10.1.1.3
# obsd3
pass on vio0 from 10.3.3.1 to any binat-to 10.2.2.1
pass on vio0 from 10.3.3.2 to any binat-to 10.2.2.2
pass on vio0 from 10.3.3.3 to any binat-to 10.2.2.3
shutdown -r now
ifconfig vio0
pfctl -s rules
shutdown vpcs1 and check that only vpcs2,3 do respond.
obsd2 pings vpcs* through full-nat on obsd3
ping 10.2.2.3 # OK ping 10.2.2.2 # OK ping 10.2.2.1 # SHOULD NOT RESPOND
obsd1 pings vpcs* through two full-nats
ping 10.1.1.3 # OK ping 10.1.1.2 # OK ping 10.1.1.1 # SHOULD NOT RESPOND
and sniff the packets e.g. on the last segment between obsd3 and vpcs2
workstation pings vpcs* through three full-nats
ping 192.168.122.93 # OK ping 192.168.122.92 # OK ping 192.168.122.91 # SHOULD NOT RESPOND
and sniff the packets on the same segment as above
Bidirectional Mapping (1:1 Mapping) https://www.openbsd.org/faq/pf/nat.html#binat
Setting Up Aliases on an Interface https://www.openbsd.org/faq/faq6.html#Setup.aliases
Request multiple IP-addresses via DHCP on a single physical interface (OpenBSD) https://serverfault.com/questions/337331/request-multiple-ip-addresses-via-dhcp-on-a-single-physical-interface-openbsd