FreeBSD Jail Access Private Network Via NAT and PF

Posted on in Categories , , last updated February 20, 2011

I‘ve FreeBSD 7.x server with 3 jails are configured to run a mail, web and MySQL services. My FreeBSD box has two network interfaces. First, interface is connected to LAN and other is directly connected to the Internet via public IP. My DNS servers are hosted on private network (LAN). FreeBSD 7.x jail only support one interface and one IP address. How do I configure jail (FreeBSD vps) to access my DNS servers hosted inside my LAN using PF firewall?

NAT is the answer to your problem. You can use BSD PF or FreeBSD firewall to setup NAT. Route all private traffic using NAT to LAN.

This simple pf rule is very specific about what it will perform nat on. I specify the source as my subnet of public IPs and the destination as This keeps NAT out of the equation but for this very specific need.

Open /etc/pf.conf file, enter:
# vi /etc/pf.conf
Append code as follows:
nat on $lan_if inet proto { tcp, udp, icmp } from $jail_vps_server_ip to $lan_if_subnet -> $lan_if_ip

Save and close the file. Reload new rules:
# /etc/rc.d/pf reload

  • lan_if=”em0″ : Your server’s real interface name. This is connected to LAN.
  • >lan_if_subnet=”″ : Add LAN subnet.
  • lan_if_ip=”″ : em0 IP address.
  • jail_vps_server_ip=”″ : Jail server’s public IP address. You can use subnet if you have 5-6 public IP address assigned to jail such as

1 comment

  1. I have an abuntu 7.10 linux box server running bind9. After initial set up it ran smoothly and resolved request very well. But problem started when the server restarted due to power failure. How do i get the domain name services start at bootup. Have tried a lot of things and got nothing.

Leave a Comment