Multiple FreeBSD jails sharing one IP address

If you want to use multiple jails on FreeBSD with only one external IP addresses you may set up all jails on private addressed with little help of loopback interface, NAT and PF.


Each jail requires one IP address. First create lo1 loopback interface and assign IPs to it:

# ifconfig lo1 create
# ifconfig lo1 inet netmask alias
# ifconfig lo1 inet netmask alias

To make this permanent add following lines to /etc/rc.conf:

ifconfig_lo1="inet netmask"
ifconfig_lo1_alias0="inet netmask"

Now configure port redirection (forwarding) from your IP to your jails’s IPs. Here is my PF line (add it to /etc/pf.conf):

rdr on re0 proto tcp from any to ext._ip port http -> port http
rdr on re0 proto tcp from any to ext._ip port ircd -> port ircd

If jails need network access (e.g. to download ports) create NAT on your external network interface:

nat on re0 from lo1:network to any -> (re0)

Finally reload PF rules:

# pfctl -d
# pfctl -e -f /etc/pf.conf


Install ezjail from /usr/ports/sysutils/ezjail:

# cd /usr/ports/sysutils/ezjail
# make install clean

After ezjail installation create base jail. This jail is used as skeleton of all jails. Before creating base jail you need to have current FreeBSD sources in /usr/src. If you have built them add -i option to update command to prevent (re)building them:

# ezjail-admin update

Creating jails

When basejail is installed we are ready to create jails:

# ezjail-admin create -f default apachejail
# ezjail-admin create -f default ircjail

See also

4 thoughts on “Multiple FreeBSD jails sharing one IP address”

  1. Thank-you for this simple and informative document, I found it very helpful. I did not realize that nat is required for the jail, otherwise it cannot reach the network and download ports. I would imagine that you would also need to have sysctl net.inet.ip.forwarding=1 and then add gateway_enable=”YES” into the host’s /etc/rc.conf? Because the host would need to be able to forward packets. I will double-check this on my server.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.