Networking Modes
Shared IP (Traditional)
Jail shares host's network stack with alias IP.
VNET
Jail gets its own complete network stack.
Shared IP Configuration
# /etc/jail.conf
myjail {
host.hostname = "myjail.local";
path = "/jails/myjail";
# Bind to specific IP on interface
ip4.addr = "em0|192.168.1.50/24";
# Or multiple IPs
ip4.addr += "em0|192.168.1.51/24";
# Localhost access
ip4.addr += "lo0|127.0.0.2/8";
}Host Configuration
# Add alias IP to interface (rc.conf)
ifconfig_em0_alias0="inet 192.168.1.50 netmask 255.255.255.255"
# Apply
service netif restartVNET Configuration
Enable VNET Support
# /boot/loader.conf
if_bridge_load="YES"
if_epair_load="YES"Create Bridge
# Create bridge interface
sysrc cloned_interfaces+="bridge0"
sysrc ifconfig_bridge0="addm em0 up"
# Apply
service netif restartVNET Jail Configuration
# /etc/jail.conf
myjail {
host.hostname = "myjail.local";
path = "/jails/myjail";
# Enable VNET
vnet;
vnet.interface = "epair0b";
# Create epair before jail starts
exec.prestart = "ifconfig epair0 create up";
exec.prestart += "ifconfig bridge0 addm epair0a";
# Clean up after jail stops
exec.poststop = "ifconfig bridge0 deletem epair0a";
exec.poststop += "ifconfig epair0a destroy";
# Jail startup script configures networking
exec.start = "/bin/sh /etc/rc";
exec.stop = "/bin/sh /etc/rc.shutdown";
}Jail Internal Configuration
# Inside jail's /etc/rc.conf
ifconfig_epair0b="inet 192.168.1.50 netmask 255.255.255.0"
defaultrouter="192.168.1.1"NAT for Jails
# /etc/pf.conf
ext_if = "em0"
jail_net = "192.168.100.0/24"
# NAT for jail network
nat on $ext_if from $jail_net to any -> ($ext_if)
# Allow jail traffic
pass from $jail_net to anyPort Forwarding
# /etc/pf.conf
# Forward port 80 to jail
rdr on em0 proto tcp from any to (em0) port 80 -> 192.168.1.50 port 80Jail with Private Network
# Create internal bridge
sysrc cloned_interfaces+="bridge1"
sysrc ifconfig_bridge1="inet 192.168.100.1 netmask 255.255.255.0"
# Jail uses internal network
myjail {
vnet;
vnet.interface = "epair1b";
exec.prestart = "ifconfig epair1 create up";
exec.prestart += "ifconfig bridge1 addm epair1a";
}
# Jail's rc.conf
ifconfig_epair1b="inet 192.168.100.10 netmask 255.255.255.0"
defaultrouter="192.168.100.1"Troubleshooting
# Check jail network config
jexec myjail ifconfig
jexec myjail netstat -rn
# Test connectivity
jexec myjail ping 8.8.8.8
# DNS resolution
jexec myjail host google.com
# Check routing on host
netstat -rn - freebsd
- jails
- networking
- vnet
- bridge
- firewall