The token-based unattended provisioning system (default from Foreman
1.4.0 onwards) should help lift your NAT requirements - if you can get
at the token somehow. Perhaps a generic iPXE script that does an API
query by MAC to find the host/token and returns the correct URL to
chainload?
