HxHippy

Jail Networking Configuration

Configuring network access for FreeBSD jails including VNET.

Last updated: 2025-01-15

Networking Modes

Shared IP (Traditional)

Jail shares host's network stack with alias IP.

VNET

Jail gets its own complete network stack.

Shared IP Configuration

# /etc/jail.conf
myjail {
    host.hostname = "myjail.local";
    path = "/jails/myjail";

    # Bind to specific IP on interface
    ip4.addr = "em0|192.168.1.50/24";

    # Or multiple IPs
    ip4.addr += "em0|192.168.1.51/24";

    # Localhost access
    ip4.addr += "lo0|127.0.0.2/8";
}

Host Configuration

# Add alias IP to interface (rc.conf)
ifconfig_em0_alias0="inet 192.168.1.50 netmask 255.255.255.255"

# Apply
service netif restart

VNET Configuration

Enable VNET Support

# /boot/loader.conf
if_bridge_load="YES"
if_epair_load="YES"

Create Bridge

# Create bridge interface
sysrc cloned_interfaces+="bridge0"
sysrc ifconfig_bridge0="addm em0 up"

# Apply
service netif restart

VNET Jail Configuration

# /etc/jail.conf
myjail {
    host.hostname = "myjail.local";
    path = "/jails/myjail";

    # Enable VNET
    vnet;
    vnet.interface = "epair0b";

    # Create epair before jail starts
    exec.prestart = "ifconfig epair0 create up";
    exec.prestart += "ifconfig bridge0 addm epair0a";

    # Clean up after jail stops
    exec.poststop = "ifconfig bridge0 deletem epair0a";
    exec.poststop += "ifconfig epair0a destroy";

    # Jail startup script configures networking
    exec.start = "/bin/sh /etc/rc";
    exec.stop = "/bin/sh /etc/rc.shutdown";
}

Jail Internal Configuration

# Inside jail's /etc/rc.conf
ifconfig_epair0b="inet 192.168.1.50 netmask 255.255.255.0"
defaultrouter="192.168.1.1"

NAT for Jails

# /etc/pf.conf
ext_if = "em0"
jail_net = "192.168.100.0/24"

# NAT for jail network
nat on $ext_if from $jail_net to any -> ($ext_if)

# Allow jail traffic
pass from $jail_net to any

Port Forwarding

# /etc/pf.conf
# Forward port 80 to jail
rdr on em0 proto tcp from any to (em0) port 80 -> 192.168.1.50 port 80

Jail with Private Network

# Create internal bridge
sysrc cloned_interfaces+="bridge1"
sysrc ifconfig_bridge1="inet 192.168.100.1 netmask 255.255.255.0"

# Jail uses internal network
myjail {
    vnet;
    vnet.interface = "epair1b";
    exec.prestart = "ifconfig epair1 create up";
    exec.prestart += "ifconfig bridge1 addm epair1a";
}

# Jail's rc.conf
ifconfig_epair1b="inet 192.168.100.10 netmask 255.255.255.0"
defaultrouter="192.168.100.1"

Troubleshooting

# Check jail network config
jexec myjail ifconfig
jexec myjail netstat -rn

# Test connectivity
jexec myjail ping 8.8.8.8

# DNS resolution
jexec myjail host google.com

# Check routing on host
netstat -rn
advanced Jails Updated 2025-01-15
  • freebsd
  • jails
  • networking
  • vnet
  • bridge
  • firewall