If you want to use multiple jails on FreeBSD with only one external IP addresses you may set up all jails on private addressed with little help of loopback interface, NAT and PF.
Each jail requires one IP address. First create lo1 loopback interface and assign IPs to it:
# ifconfig lo1 create # ifconfig lo1 inet 10.0.0.1 netmask 255.255.255.0 alias # ifconfig lo1 inet 10.0.0.2 netmask 255.255.255.0 alias ...
To make this permanent add following lines to /etc/rc.conf:
ifconfig_lo1="inet 10.0.0.254 netmask 255.255.255.0"
ifconfig_lo1_alias0="inet 10.0.0.1 netmask 255.255.255.0"
Now configure port redirection (forwarding) from your IP to your jails’s IPs. Here is my PF line (add it to /etc/pf.conf):
rdr on re0 proto tcp from any to ext._ip port ircd -> 10.0.0.2 port ircd
If jails need network access (e.g. to download ports) create NAT on your external network interface:
Finally reload PF rules:
# pfctl -d # pfctl -e -f /etc/pf.conf
Install ezjail from /usr/ports/sysutils/ezjail:
# cd /usr/ports/sysutils/ezjail # make install clean
After ezjail installation create base jail. This jail is used as skeleton of all jails. Before creating base jail you need to have current FreeBSD sources in /usr/src. If you have built them add -i option to update command to prevent (re)building them:
# ezjail-admin update
When basejail is installed we are ready to create jails:
# ezjail-admin create -f default apachejail 10.0.0.1 # ezjail-admin create -f default ircjail 10.0.0.2
4 thoughts on “Multiple FreeBSD jails sharing one IP address”
Thank-you for this simple and informative document, I found it very helpful. I did not realize that nat is required for the jail, otherwise it cannot reach the network and download ports. I would imagine that you would also need to have sysctl net.inet.ip.forwarding=1 and then add gateway_enable=”YES” into the host’s /etc/rc.conf? Because the host would need to be able to forward packets. I will double-check this on my server.
PF (OpenBSD’s packet filter) in FreeBSD seems to
worksforward packets regardless of net.inet.ip.forwarding setting. I left it off.
Percious information, nice & sober design on your blog – thanks!
Funny, I’ve been doing exactly the same, also with pf (port-redirection wise there are some other options on FreeBSD) and ezjail :-)