Multiple FreeBSD jails sharing one IP address

If you want to use multiple jails on FreeBSD with only one external IP addresses you may set up all jails on private addressed with little help of loopback interface, NAT and PF.

Networking

Each jail requires one IP address. First create lo1 loopback interface and assign IPs to it:

# ifconfig lo1 create
# ifconfig lo1 inet 10.0.0.1 netmask 255.255.255.0 alias
# ifconfig lo1 inet 10.0.0.2 netmask 255.255.255.0 alias
...

To make this permanent add following lines to /etc/rc.conf:

cloned_interfaces="lo1"
ifconfig_lo1="inet 10.0.0.254 netmask 255.255.255.0"
ifconfig_lo1_alias0="inet 10.0.0.1 netmask 255.255.255.0"
...

Now configure port redirection (forwarding) from your IP to your jails’s IPs. Here is my PF line (add it to /etc/pf.conf):

rdr on re0 proto tcp from any to ext._ip port http -> 10.0.0.1 port http
rdr on re0 proto tcp from any to ext._ip port ircd -> 10.0.0.2 port ircd
...

If jails need network access (e.g. to download ports) create NAT on your external network interface:

nat on re0 from lo1:network to any -> (re0)

Finally reload PF rules:

# pfctl -d
# pfctl -e -f /etc/pf.conf

Ezjail

Install ezjail from /usr/ports/sysutils/ezjail:

# cd /usr/ports/sysutils/ezjail
# make install clean

After ezjail installation create base jail. This jail is used as skeleton of all jails. Before creating base jail you need to have current FreeBSD sources in /usr/src. If you have built them add -i option to update command to prevent (re)building them:

# ezjail-admin update

Creating jails

When basejail is installed we are ready to create jails:

# ezjail-admin create -f default apachejail 10.0.0.1
# ezjail-admin create -f default ircjail 10.0.0.2

See also

4 comments to Multiple FreeBSD jails sharing one IP address

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>