Forem: Tedson Myriam The latest articles on Forem by Tedson Myriam (@tedson_myriam_d315b5e36e2). https://forem.com/tedson_myriam_d315b5e36e2 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3765033%2F7393de7a-5aec-49ce-9258-d2058b9ecb16.png Forem: Tedson Myriam https://forem.com/tedson_myriam_d315b5e36e2 en FreeBSD Jails VNET Configuration Guide 2026 — Synthetic Context Tedson Myriam Tue, 10 Feb 2026 21:07:32 +0000 https://forem.com/tedson_myriam_d315b5e36e2/freebsd-jails-vnet-configuration-guide-2026-synthetic-context-32f3 https://forem.com/tedson_myriam_d315b5e36e2/freebsd-jails-vnet-configuration-guide-2026-synthetic-context-32f3 <h1> Setting Up FreeBSD 14 VNET Jails with IPv6-Only Networking </h1> <p>I've been running FreeBSD jails for years, but when I discovered VNET jails with proper network isolation, my infrastructure game changed completely. The ability to give each service its own network stack with full firewall control is a game-changer for security and flexibility. Let me walk you through how I set up modern VNET jails with IPv6-only networking on FreeBSD 14.</p> <h2> What You'll Learn </h2> <p>This guide covers setting up FreeBSD 14 VNET jails with:</p> <ul> <li>Robust network isolation using <code>epair</code> interfaces and <code>bridge</code> networking</li> <li>IPv6-only architecture for modern networking</li> <li>PF firewall integration at both host and jail levels</li> <li>Practical troubleshooting techniques</li> </ul> <p>FreeBSD Jails offer lightweight virtualization with process and filesystem isolation. While traditional jails share the host's network stack, VNET jails get their own independent network environment. This setup gives you complete control over each jail's networking, including IP addresses, routing tables, and firewalls.</p> <h2> 1. Preparing Your Host System </h2> <p>Before creating VNET jails, you need to configure your FreeBSD host properly.</p> <h3> 1.1 Kernel Modules and rc.conf Configuration </h3> <p>First, let's load the necessary kernel modules and configure them to load automatically:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Load modules immediately</span> kldload if_epair kldload if_bridge kldload pf kldload pflog <span class="c"># Add to /etc/rc.conf for persistent loading</span> <span class="nb">echo</span> <span class="s1">'if_epair_load="YES"'</span> <span class="o">&gt;&gt;</span> /etc/rc.conf <span class="nb">echo</span> <span class="s1">'if_bridge_load="YES"'</span> <span class="o">&gt;&gt;</span> /etc/rc.conf <span class="nb">echo</span> <span class="s1">'pf_enable="YES"'</span> <span class="o">&gt;&gt;</span> /etc/rc.conf <span class="nb">echo</span> <span class="s1">'pflog_enable="YES"'</span> <span class="o">&gt;&gt;</span> /etc/rc.conf </code></pre> </div> <p>Next, configure the bridge interface in <code>/etc/rc.conf</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># /etc/rc.conf additions</span> <span class="nv">cloned_interfaces</span><span class="o">=</span><span class="s2">"bridge0"</span> <span class="nv">ifconfig_bridge0</span><span class="o">=</span><span class="s2">"inet6 -ifdisabled up"</span> <span class="c"># IPv6-only bridge</span> <span class="nv">ipv6_enable</span><span class="o">=</span><span class="s2">"YES"</span> <span class="nv">ipv6_gateway_enable</span><span class="o">=</span><span class="s2">"YES"</span> <span class="nv">rtsold_enable</span><span class="o">=</span><span class="s2">"YES"</span> <span class="c"># If host needs to get IPv6 from upstream</span> <span class="nv">rtadvd_enable</span><span class="o">=</span><span class="s2">"YES"</span> <span class="c"># If host acts as a router for jails</span> </code></pre> </div> <h3> 1.2 sysctl Tunings </h3> <p>We need to adjust some sysctl parameters for proper networking:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Enable IP forwarding for IPv4 and IPv6</span> sysctl net.inet.ip.forwarding<span class="o">=</span>1 sysctl net.inet6.ip6.forwarding<span class="o">=</span>1 <span class="c"># Configure bridge filtering</span> sysctl net.link.bridge.pfil_member<span class="o">=</span>0 sysctl net.link.bridge.pfil_bridge<span class="o">=</span>1 <span class="c"># Add to /etc/sysctl.conf for persistence</span> <span class="nb">echo</span> <span class="s1">'net.inet.ip.forwarding=1'</span> <span class="o">&gt;&gt;</span> /etc/sysctl.conf <span class="nb">echo</span> <span class="s1">'net.inet6.ip6.forwarding=1'</span> <span class="o">&gt;&gt;</span> /etc/sysctl.conf <span class="nb">echo</span> <span class="s1">'net.link.bridge.pfil_member=0'</span> <span class="o">&gt;&gt;</span> /etc/sysctl.conf <span class="nb">echo</span> <span class="s1">'net.link.bridge.pfil_bridge=1'</span> <span class="o">&gt;&gt;</span> /etc/sysctl.conf </code></pre> </div> <h3> 1.3 Basic Host pf.conf </h3> <p>Here's a basic PF configuration for the host:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight conf"><code><span class="c"># /etc/pf.conf on the host </span><span class="n">ext_if</span> = <span class="s2">"vtnet0"</span> <span class="n">bridge_if</span> = <span class="s2">"bridge0"</span> <span class="n">jail_net</span> = <span class="s2">"2001:db8:jails::/64"</span> <span class="n">set</span> <span class="n">skip</span> <span class="n">on</span> <span class="n">lo0</span> <span class="n">set</span> <span class="n">skip</span> <span class="n">on</span> $<span class="n">bridge_if</span> <span class="n">scrub</span> <span class="n">in</span> <span class="n">on</span> $<span class="n">ext_if</span> <span class="n">all</span> <span class="n">fragment</span> <span class="n">reassemble</span> <span class="n">scrub</span> <span class="n">out</span> <span class="n">on</span> $<span class="n">ext_if</span> <span class="n">all</span> <span class="n">fragment</span> <span class="n">reassemble</span> <span class="c"># Default deny everything </span><span class="n">block</span> <span class="n">all</span> <span class="c"># Allow all outbound traffic from jails </span><span class="n">pass</span> <span class="n">out</span> <span class="n">on</span> $<span class="n">ext_if</span> <span class="n">from</span> $<span class="n">jail_net</span> <span class="n">to</span> <span class="n">any</span> <span class="n">keep</span> <span class="n">state</span> <span class="c"># Allow specific inbound traffic to jails </span><span class="n">pass</span> <span class="n">in</span> <span class="n">on</span> $<span class="n">ext_if</span> <span class="n">proto</span> <span class="n">tcp</span> <span class="n">from</span> <span class="n">any</span> <span class="n">to</span> $<span class="n">jail_net</span> <span class="n">port</span> { <span class="n">ssh</span>, <span class="n">http</span>, <span class="n">https</span> } <span class="n">keep</span> <span class="n">state</span> <span class="c"># Allow host to communicate with jails </span><span class="n">pass</span> <span class="n">in</span> <span class="n">quick</span> <span class="n">on</span> $<span class="n">bridge_if</span> <span class="n">from</span> $<span class="n">jail_net</span> <span class="n">to</span> <span class="n">any</span> <span class="n">keep</span> <span class="n">state</span> <span class="n">pass</span> <span class="n">out</span> <span class="n">quick</span> <span class="n">on</span> $<span class="n">bridge_if</span> <span class="n">from</span> <span class="n">any</span> <span class="n">to</span> $<span class="n">jail_net</span> <span class="n">keep</span> <span class="n">state</span> <span class="c"># Basic host protection </span><span class="n">pass</span> <span class="n">in</span> <span class="n">on</span> $<span class="n">ext_if</span> <span class="n">proto</span> <span class="n">icmp6</span> <span class="n">from</span> <span class="n">any</span> <span class="n">to</span> <span class="n">any</span> <span class="n">icmp6</span>-<span class="n">type</span> { <span class="n">echoreq</span>, <span class="n">routeradvert</span>, <span class="n">routersol</span> } <span class="n">keep</span> <span class="n">state</span> <span class="n">pass</span> <span class="n">out</span> <span class="n">on</span> $<span class="n">ext_if</span> <span class="n">proto</span> <span class="n">icmp6</span> <span class="n">from</span> <span class="n">any</span> <span class="n">to</span> <span class="n">any</span> <span class="n">icmp6</span>-<span class="n">type</span> { <span class="n">echoreq</span>, <span class="n">routeradvert</span>, <span class="n">routersol</span> } <span class="n">keep</span> <span class="n">state</span> <span class="n">pass</span> <span class="n">in</span> <span class="n">on</span> $<span class="n">ext_if</span> <span class="n">proto</span> <span class="n">tcp</span> <span class="n">from</span> <span class="n">any</span> <span class="n">to</span> ($<span class="n">ext_if</span>) <span class="n">port</span> <span class="n">ssh</span> <span class="n">keep</span> <span class="n">state</span> </code></pre> </div> <p>After configuring, enable PF:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pfctl <span class="nt">-e</span> <span class="nt">-f</span> /etc/pf.conf </code></pre> </div> <h2> 2. Creating VNET Jails with epair and bridge </h2> <p>Now let's create our first VNET jail with proper network isolation.</p> <h3> 2.1 Understanding epair and bridge Interaction </h3> <p>An <code>epair</code> interface is a virtual network device that comes in pairs (<code>epairXa</code> and <code>epairXb</code>). Here's how it works with VNET jails:</p> <ul> <li> <code>epairXa</code> goes into the jail's network stack</li> <li> <code>epairXb</code> stays on the host and connects to the bridge</li> <li>The bridge acts as a virtual switch connecting all jail interfaces</li> </ul> <h3> 2.2 jail.conf Structure for VNET Jails </h3> <p>Here's an example <code>jail.conf</code> entry for an IPv6-only VNET jail:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight conf"><code><span class="c"># /etc/jail.conf </span><span class="n">vnet_base</span> { <span class="n">path</span> = <span class="s2">"/jails/basejail"</span>; <span class="n">mount</span>.<span class="n">devfs</span>; <span class="n">allow</span>.<span class="n">raw_sockets</span>; <span class="n">exec</span>.<span class="n">start</span> = <span class="s2">"/bin/sh /etc/rc"</span>; <span class="n">exec</span>.<span class="n">stop</span> = <span class="s2">"/bin/sh /etc/rc.shutdown"</span>; } <span class="n">vnet</span>-<span class="n">jail</span>-<span class="m">01</span> { <span class="n">host</span>.<span class="n">hostname</span> = <span class="s2">"vnet-jail-01"</span>; <span class="n">path</span> = <span class="s2">"/jails/vnet-jail-01"</span>; <span class="n">vnet</span>; <span class="n">vnet</span>.<span class="n">interface</span> = <span class="s2">"epair0a"</span>; <span class="c"># Commands executed on the host before jail starts </span> <span class="n">exec</span>.<span class="n">prestart</span> += <span class="s2">"ifconfig epair0 create"</span>; <span class="n">exec</span>.<span class="n">prestart</span> += <span class="s2">"ifconfig bridge0 addm epair0b"</span>; <span class="c"># Commands executed inside the jail after it starts </span> <span class="n">exec</span>.<span class="n">start</span> += <span class="s2">"ifconfig epair0a up"</span>; <span class="n">exec</span>.<span class="n">start</span> += <span class="s2">"ifconfig epair0a inet6 accept_rtadv"</span>; <span class="n">exec</span>.<span class="n">start</span> += <span class="s2">"route add -inet6 default fe80::1%epair0a"</span>; <span class="c"># Commands executed on the host after jail stops </span> <span class="n">exec</span>.<span class="n">poststop</span> += <span class="s2">"ifconfig bridge0 deletem epair0b"</span>; <span class="n">exec</span>.<span class="n">poststop</span> += <span class="s2">"ifconfig epair0b destroy"</span>; <span class="n">mount</span>.<span class="n">devfs</span>; <span class="n">allow</span>.<span class="n">raw_sockets</span>; <span class="n">exec</span>.<span class="n">clean</span>; <span class="n">exec</span>.<span class="n">consolelog</span> = <span class="s2">"/var/log/jail_vnet-jail-01_console.log"</span>; <span class="n">exec</span>.<span class="n">start</span> = <span class="s2">"/bin/sh /etc/rc"</span>; <span class="n">exec</span>.<span class="n">stop</span> = <span class="s2">"/bin/sh /etc/rc.shutdown"</span>; } </code></pre> </div> <p>To start the jail:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>jail <span class="nt">-c</span> vnet-jail-01 </code></pre> </div> <p>To enter the jail's console:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>jexec vnet-jail-01 /bin/csh </code></pre> </div> <h2> 3. Configuring IPv6-Only Networking </h2> <p>An IPv6-only architecture simplifies network management and prepares your infrastructure for the future.</p> <h3> 3.1 Host rtadvd Configuration </h3> <p>Configure the host to act as a router for the jails:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight conf"><code><span class="c"># /etc/rc.conf (ensure these are present) </span><span class="n">ipv6_enable</span>=<span class="s2">"YES"</span> <span class="n">ipv6_gateway_enable</span>=<span class="s2">"YES"</span> <span class="n">rtadvd_enable</span>=<span class="s2">"YES"</span> <span class="c"># /etc/rtadvd.conf </span><span class="n">bridge0</span>:\ :<span class="n">addrs</span><span class="c">#1:prefix:2001:db8:jails::/64: </span></code></pre> </div> <p>Start the rtadvd service:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>service rtadvd start </code></pre> </div> <h3> 3.2 Jail rc.conf and DNS Configuration </h3> <p>Inside the jail, ensure IPv6 is enabled:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight conf"><code><span class="c"># /jails/vnet-jail-01/etc/rc.conf </span><span class="n">ipv6_enable</span>=<span class="s2">"YES"</span> <span class="n">rtsol_enable</span>=<span class="s2">"YES"</span> </code></pre> </div> <p>Configure DNS in the jail:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight conf"><code><span class="c"># /jails/vnet-jail-01/etc/resolv.conf </span><span class="n">nameserver</span> <span class="m">2001</span>:<span class="m">4860</span>:<span class="m">4860</span>::<span class="m">8888</span> <span class="n">nameserver</span> <span class="m">2001</span>:<span class="m">4860</span>:<span class="m">4860</span>::<span class="m">8844</span> </code></pre> </div> <h3> 3.3 Static IPv6 Addressing (Alternative) </h3> <p>For services needing stable addresses:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight conf"><code><span class="c"># In /etc/jail.conf for vnet-jail-01 # ... </span><span class="n">exec</span>.<span class="n">start</span> += <span class="s2">"ifconfig epair0a inet6 2001:db8:jails::10/64 up"</span>; <span class="n">exec</span>.<span class="n">start</span> += <span class="s2">"route add -inet6 default 2001:db8:jails::1"</span>; <span class="c"># ... </span></code></pre> </div> <h2> 4. Implementing PF Firewall for Enhanced Security </h2> <p>PF provides powerful firewall capabilities at both host and jail levels.</p> <h3> 4.1 Host PF for VNET Jails </h3> <p>The host's PF controls traffic between external networks and the jail bridge:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight conf"><code><span class="c"># /etc/pf.conf (host) # ... # Define tags for specific jail services </span><span class="n">pass</span> <span class="n">in</span> <span class="n">on</span> $<span class="n">ext_if</span> <span class="n">proto</span> <span class="n">tcp</span> <span class="n">from</span> <span class="n">any</span> <span class="n">to</span> $<span class="n">jail_net</span> <span class="n">port</span> <span class="n">ssh</span> <span class="n">tag</span> <span class="n">SSH_JAIL</span> <span class="n">pass</span> <span class="n">in</span> <span class="n">on</span> $<span class="n">ext_if</span> <span class="n">proto</span> <span class="n">tcp</span> <span class="n">from</span> <span class="n">any</span> <span class="n">to</span> $<span class="n">jail_net</span> <span class="n">port</span> <span class="n">http</span> <span class="n">tag</span> <span class="n">HTTP_JAIL</span> <span class="c"># Example: allow SSH to specific jail IP </span><span class="n">pass</span> <span class="n">in</span> <span class="n">on</span> $<span class="n">ext_if</span> <span class="n">proto</span> <span class="n">tcp</span> <span class="n">from</span> <span class="n">any</span> <span class="n">to</span> <span class="m">2001</span>:<span class="n">db8</span>:<span class="n">jails</span>::<span class="m">10</span> <span class="n">port</span> <span class="n">ssh</span> <span class="n">keep</span> <span class="n">state</span> <span class="n">tag</span> <span class="n">SSH_JAIL_01</span> </code></pre> </div> <h3> 4.2 Jail-Specific PF Configuration </h3> <p>Each jail can run its own PF instance:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight conf"><code><span class="c"># /jails/vnet-jail-01/etc/pf.conf </span><span class="n">int_if</span> = <span class="s2">"epair0a"</span> <span class="n">set</span> <span class="n">skip</span> <span class="n">on</span> <span class="n">lo0</span> <span class="c"># Default deny all </span><span class="n">block</span> <span class="n">all</span> <span class="c"># Allow outbound connections </span><span class="n">pass</span> <span class="n">out</span> <span class="n">on</span> $<span class="n">int_if</span> <span class="n">all</span> <span class="n">keep</span> <span class="n">state</span> <span class="c"># Allow inbound SSH </span><span class="n">pass</span> <span class="n">in</span> <span class="n">on</span> $<span class="n">int_if</span> <span class="n">proto</span> <span class="n">tcp</span> <span class="n">from</span> <span class="n">any</span> <span class="n">to</span> <span class="n">any</span> <span class="n">port</span> <span class="n">ssh</span> <span class="n">keep</span> <span class="n">state</span> <span class="c"># Allow ICMP6 for network diagnostics </span><span class="n">pass</span> <span class="n">in</span> <span class="n">on</span> $<span class="n">int_if</span> <span class="n">proto</span> <span class="n">icmp6</span> <span class="n">from</span> <span class="n">any</span> <span class="n">to</span> <span class="n">any</span> <span class="n">icmp6</span>-<span class="n">type</span> { <span class="n">echoreq</span>, <span class="n">echorep</span>, <span class="n">routersol</span>, <span class="n">routeradvert</span>, <span class="n">neighbrsol</span>, <span class="n">neighbradvert</span> } <span class="n">keep</span> <span class="n">state</span> </code></pre> </div> <p>Enable PF in the jail's <code>/etc/rc.conf</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight conf"><code><span class="n">pf_enable</span>=<span class="s2">"YES"</span> <span class="n">pf_rules</span>=<span class="s2">"/etc/pf.conf"</span> </code></pre> </div> <h2> 5. Advanced VNET Features and Troubleshooting </h2> <h3> 5.1 Multiple Bridges and VLANs </h3> <p>For more complex setups:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># /etc/rc.conf</span> <span class="nv">cloned_interfaces</span><span class="o">=</span><span class="s2">"bridge0 bridge1"</span> <span class="nv">ifconfig_bridge0</span><span class="o">=</span><span class="s2">"inet6 -ifdisabled up"</span> <span class="nv">ifconfig_bridge1</span><span class="o">=</span><span class="s2">"inet6 -ifdisabled up"</span> </code></pre> </div> <h3> 5.2 Jail Management Tools </h3> <p>Consider using tools like:</p> <ul> <li> <strong>CBSD</strong>: Powerful framework for managing jails, bhyve, and other virtual environments</li> <li> <strong>Pot</strong>: Lightweight ZFS-based jail manager focused on immutable infrastructure</li> </ul> <h3> 5.3 Monitoring and Troubleshooting </h3> <p>Key commands for debugging:</p> <ul> <li> <code>ifconfig -a</code> (host and jail)</li> <li> <code>netstat -rn</code> (host and jail)</li> <li> <code>pfctl -sr</code>, <code>pfctl -sa</code> (host and jail)</li> <li><code>tcpdump -i &lt;interface&gt;</code></li> <li> <code>dmesg</code>, <code>/var/log/messages</code>, jail console logs</li> </ul> <h2> Final Thoughts </h2> <p>Setting up VNET jails with proper network isolation gives you incredible flexibility and security for your FreeBSD infrastructure. The IPv6-only approach simplifies configuration while preparing your systems for the future.</p> <p>Have you tried setting up VNET jails before? What challenges did you face? I'd love to hear about your experiences in the comments below!</p> <p><em>Originally published on <a href="https://synthetic-context.net/docs/freebsd-jails-vnet-2026" rel="noopener noreferrer">synthetic-context.net</a></em></p> freebsd devops security tutorial