@palainp Of course, I really want this setup to work.

AppVM (10.137.0.X) → mirage-fw (10.137.0.Y) ← HardenedBSD (10.137.0.Z)

ping 1.1.1.1 in AppVM (10.137.0.X) - (nat on $NIC_IF inet from xn0:network to any → $NIC_IF)

INF [dispatcher] packet from client 10.137.0.X -> 1.1.1.1
INF [dispatcher] transmit 10.137.0.Y -> 1.1.1.1
WRN [dispatcher] Incorrect source IP 1.1.1.1 in IP packet from 10.137.0.Z (dropping)

Result: ping requests and replies from 10.137.0.Y to one.one.one.one inside xn0

ping 10.137.0.Z (HardeneBSD) in AppVM (10.137.0.X) - (nat on $NIC_IF inet from xn0:network to any → $NIC_IF)

INF [dispatcher] packet from client 10.137.0.X -> 10.137.0.Z
INF [dispatcher] transmit 10.137.0.Y -> 10.137.0.Z
INF [dispatcher] packet from client 10.137.0.Z -> 10.137.0.Y
INF [dispatcher] transmit 10.137.0.Z -> 10.137.0.X

Result: ping requests and replies from 10.137.0.Y to 10.137.0.Z inside xn0

AppVM (10.137.0.X) → mirage-fw (10.137.0.Y) ← OpenBSD (10.137.0.Z)

ping 1.1.1.1 in AppVM (10.137.0.X) - (pass out on $NIC_IF inet from xnf0:network to any nat-to $NIC_IF)

INF [dispatcher] packet from client 10.137.0.X -> 1.1.1.1
INF [dispatcher] transmit 10.137.0.Y -> 1.1.1.1
WRN [dispatcher] Incorrect source IP 1.1.1.1 in IP packet from 10.137.0.X (dropping)

Result: ping requests and replies from 10.137.0.Y to 1.1.1.1 inside xnf0

ping 10.137.0.Z (OpenBSD) in AppVM (10.137.0.X) - (pass out on $NIC_IF inet from xnf0:network to any nat-to $NIC_IF)

INF [dispatcher] packet from client 10.137.0.X -> 10.137.0.Z
INF [dispatcher] transmit 10.137.0.Y -> 10.137.0.Z
INF [dispatcher] packet from client 10.137.0.Z -> 10.137.0.Y
INF [dispatcher] transmit 10.137.0.Z -> 10.137.0.X

Result: ping requests and replies from 10.137.0.Y to 10.137.0.Z inside xnf0

I’m also not able to ping AppVM (10.137.0.X) from OpenBSD/HardenedBSD (10.137.0.Z)
INF [client_eth:dom$XID:10.137.0.Z] who-has 10.137.0.X unknown address; not responding