typedef int (*funcptr)();

An engineers technical notebook

NAT with PF on an interface with multiple IP addresses

If you want to do NAT for your currently running jail instances on FreeBSD so that they can have outgoing connections you could try the following pf.conf to set up NAT on the interface that the jails have their IP addresses on.

ext_if="em0"    # The network card your default gateway is on
jail_if="lo1"   # The interface that your jails have IP addresses on

# Set some options
set optimization aggressive
set block-policy drop
set skip on lo

# NAT on the external interface when coming from the jail interface
nat on $ext_if from $jail_if:network:0 to any -> ($ext_if)

# We just pass everything
pass quick all

What I have done is create IP addresses within the private network range (10/8, 172.16/12, 192.168/16) on the lo1 interface. These can't be in the 127/8 range because those addresses can't be NAT'ed (not sure if this is a limitation in pf or if this is a FreeBSD limitation), which is a shame because using would be pretty awesome in my opinion.

What I did find though is that the above will not work correctly if your main network card (the one your default gateway is on, in the example em0) contains multiple IP addresses. At that point the syntax ($ext_if) does not function correctly and will cause packet loss/drop. 1

So instead of using the syntax above we simply replace ($ext_if) with the actual IP address of the interface. This takes care of the issue and will let your jails have proper internet access without issues.


set optimization aggressive
set block-policy drop
set skip on lo

nat on $ext_if from $jail_if:network:0 to any -> # Your IP!

pass quick all

The other way you can solve this problem off course is to provide your jails with IP addresses within the same range that go to your default gateway thereby solving the problem of needing to NAT in the first place.

  1. Do note that I am using FreeBSD 8.2, so this may be fixed in the new FreeBSD 9 that is due to be released soon.