Solaris 11/12 PF Firewall NAT Configuration

• Create a vNic and assign to each kernel zone.
• Create a vNic for use on the global zone.
• Set the default gateway to the global zone vnic.

global # dladm create-vnic kz1
global # dladm create-vnic kz2
global # dladm create-vnic gl1

zonecfg -z kz1 info
[..]snip
net:
	configure-allowed-address: true
	physical: kz1
	id: 1
[..]snip
Zone IP address assignments
kz1 # ipadm create-addr -a 10.10.1.11/24 net0
kz1 # route -p add default 10.10.1.1

ipadm
NAME              CLASS/TYPE STATE        UNDER      ADDR
lo0               loopback   ok           --         --
   lo0/v4         static     ok           --         127.0.0.1/8
   lo0/v6         static     ok           --         ::1/128
net0              ip         ok           --         --
   net0/v4        static     ok           --         10.10.1.11/24
   net0/v6        addrconf   ok           --         fe80::8:20ff:feaa:b14f/10

netstat -rn

Routing Table: IPv4
  Destination           Gateway           Flags  Ref     Use     Interface 
-------------------- -------------------- ----- ----- ---------- --------- 
default              10.10.1.1            UG        2      16542           
10.10.1.0            10.10.1.11           U         3         19 net0      
127.0.0.1            127.0.0.1            UH        2       9716 lo0       

Routing Table: IPv6
  Destination/Mask            Gateway                   Flags Ref   Use    If   
--------------------------- --------------------------- ----- --- ------- ----- 
::1                         ::1                         UH      2      38 lo0   
fe80::/10                   fe80::8:20ff:feaa:b14f      U       2       0 net0 


Global zone vNic and IP address
global # ipadm create-addr -a 10.10.1.1/24 gl1


Now we are ready for the PF configuration.
Below is how the /etc/firewall/pf.conf
Note:  The pf.conf  is a very simplified configuration just for the purpose of NAT.
ext_if = "localnet0"    # macro for external interface
int_if = "kz1"          # macro for internal interface, Note: this is not used in this example.

pass out on $ext_if from 10.10.1.0/24 to any nat-to 192.168.1.50


Finally enable firewall with svcadm
svcadm enable svc:/network/firewall:default


Helpful tips
Check the PF active running rule set.
Tip:  I have struggled with this for a while, as my rule-set had an syntax issue. I was using the old nat keyword which is now obsolete, causing my rule-set to break(and not being used), but by checking the service it will still show online, but it will be loading a default rule-set.
Note: Its always a good idea especially if things don't work properly to verify the active rule set.

To verify the active rule set, just run the below (make sure it is waht you expect it to be). 
pfctl -s rules
pass out on localnet0 inet from 10.10.1.0/24 to any flags S/SA nat-to 192.168.1.50


The below will show you the current active sessions (i.e. NAT being used).
pfctl -s state
all udp 192.168.1.50:57472 (10.10.1.11:59700) -> 10.10.3.1:53       MULTIPLE:SINGLE
all tcp 192.168.1.50:54106 (10.10.1.11:63464) -> 10.10.1.207:22       ESTABLISHED:ESTABLISHED
all udp 192.168.1.50:53081 (10.10.1.11:63814) -> 10.10.3.1:53       MULTIPLE:SINGLE
all udp 192.168.1.50:63694 (10.10.1.11:63222) -> 10.10.3.1:53       MULTIPLE:SINGLE
all udp 192.168.1.50:65501 (10.10.1.11:57828) -> 10.10.3.1:53       MULTIPLE:SINGLE
all udp 192.168.1.50:52717 (10.10.1.11:50207) -> 10.10.3.1:53       MULTIPLE:SINGLE


Anther handy option is, to verify the new/modified rule set for syntax errors.
pfctl -vnf pf.conf


Reference
Official documentation