FreeBSD Jail Access Private Network Via NAT and PF

I‘ve FreeBSD 7.x server with 3 jails are configured to run a mail, web and MySQL services. My FreeBSD box has two network interfaces. First, interface is connected to LAN and other is directly connected to the Internet via public IP. My DNS servers are hosted on private network (LAN). FreeBSD 7.x jail only support one interface and one IP address. How do I configure jail (FreeBSD vps) to access my DNS servers hosted inside my LAN using PF firewall?

NAT is the answer to your problem. You can use BSD PF or FreeBSD firewall to setup NAT. Route all private traffic using NAT to LAN.

This simple pf rule is very specific about what it will perform nat on. I specify the source as my subnet of public IPs and the destination as This keeps NAT out of the equation but for this very specific need.

Open /etc/pf.conf file, enter:
# vi /etc/pf.conf
Append code as follows:
nat on $lan_if inet proto { tcp, udp, icmp } from $jail_vps_server_ip to $lan_if_subnet -> $lan_if_ip

Save and close the file. Reload new rules:
# /etc/rc.d/pf reload

  • lan_if=”em0″ : Your server’s real interface name. This is connected to LAN.
  • >lan_if_subnet=”″ : Add LAN subnet.
  • lan_if_ip=”″ : em0 IP address.
  • jail_vps_server_ip=”″ : Jail server’s public IP address. You can use subnet if you have 5-6 public IP address assigned to jail such as
This entry is 4 of 6 in the FreeBSD Jail Operating System-level Virtualization Tutorial series. Keep reading the rest of the series:
  1. Setup FreeBSD Jail With ezjail
  2. FreeBSD Jail Allow Ping / tracerouter Commands
  3. FreeBSD Jail Add Multiple IPv4 / IPv6 Address
  4. FreeBSD Jail Access Private Network Via NAT and PF
  5. How To Upgrade FreeBSD Jail ( OS Level Virtualization )
  6. FreeBSD Jail Allow Sound And Flash Access

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 1 comment so far... add one

CategoryList of Unix and Linux commands
Disk space analyzersdf ncdu pydf
File Managementcat cp mkdir tree
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
1 comment… add one
  • kngxly Feb 24, 2009 @ 13:28

    I have an abuntu 7.10 linux box server running bind9. After initial set up it ran smoothly and resolved request very well. But problem started when the server restarted due to power failure. How do i get the domain name services start at bootup. Have tried a lot of things and got nothing.

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum