Multiple FreeBSD jails sharing one IP address

If you want to use multiple jails on FreeBSD with only one external IP addresses you may set up all jails on private addressed with little help of loopback interface, NAT and PF.

Networking

Each jail requires one IP address. First create lo1 loopback interface and assign IPs to it:

# ifconfig lo1 create
# ifconfig lo1 inet 10.0.0.1 netmask 255.255.255.0 alias
# ifconfig lo1 inet 10.0.0.2 netmask 255.255.255.0 alias
...

To make this permanent add following lines to /etc/rc.conf:

cloned_interfaces="lo1"
ifconfig_lo1="inet 10.0.0.254 netmask 255.255.255.0"
ifconfig_lo1_alias0="inet 10.0.0.1 netmask 255.255.255.0"
...

Now configure port redirection (forwarding) from your IP to your jails’s IPs. Here is my PF line (add it to /etc/pf.conf):

rdr on re0 proto tcp from any to ext._ip port http -> 10.0.0.1 port http
rdr on re0 proto tcp from any to ext._ip port ircd -> 10.0.0.2 port ircd
...

If jails need network access (e.g. to download ports) create NAT on your external network interface:

nat on re0 from lo1:network to any -> (re0)

Finally reload PF rules:

# pfctl -d
# pfctl -e -f /etc/pf.conf

Ezjail

Install ezjail from /usr/ports/sysutils/ezjail:

# cd /usr/ports/sysutils/ezjail
# make install clean

After ezjail installation create base jail. This jail is used as skeleton of all jails. Before creating base jail you need to have current FreeBSD sources in /usr/src. If you have built them add -i option to update command to prevent (re)building them:

# ezjail-admin update

Creating jails

When basejail is installed we are ready to create jails:

# ezjail-admin create -f default apachejail 10.0.0.1
# ezjail-admin create -f default ircjail 10.0.0.2

See also

4 thoughts on “Multiple FreeBSD jails sharing one IP address”

  1. Thank-you for this simple and informative document, I found it very helpful. I did not realize that nat is required for the jail, otherwise it cannot reach the network and download ports. I would imagine that you would also need to have sysctl net.inet.ip.forwarding=1 and then add gateway_enable=”YES” into the host’s /etc/rc.conf? Because the host would need to be able to forward packets. I will double-check this on my server.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.