Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 18 Oct 2013 09:53:11 -0400
From:      Alejandro Imass <>
To:        FreeBSD Questions <>
Subject:   Help with natd on a specific IP when multiple IPs on same interface
Message-ID:  <>

Next in thread | Raw E-Mail | Index | Archive | Help

A while back I posted a problem related to natd on an single interface
with multiple IPs. We use use natd to enable Internet access to a
bunch of jails and also to redirect specific ports to some of the
jails, whilst other jails may be bound to public IPs as well.

The problem is that once natd is in operation, all the outbound
traffic appears to come from the first public IP assigned to the

Is there any way to more granularly configure natd (static nat
perhaps?) so that traffic that is bound to the other public IPs (i.e.
from a jail that is bound to another public IP of the same interface)
appears to come from the correct IP?

Our overall set-up is pretty simple:

a) A single nic (em0) with multiple public IPs

b) All jails have one private IP in 192.168.101.x which are all aliases of lo0

c) Some jails may have both the private IP and also a public public
IP. Any public IP bound to a specific jail is unique to that jail.

d) One public IP is reserved for the base system

e) For those jails that don't have public IPs we redirect the shh port
with natd as well, using a port number scheme xxx22 where xxx is the
last digits of the private IP

f) HTTP inbound traffic is reverse-proxied using Apache mod_proxy to
those jails that don't have public IP. The central proxy is also a
jail that is bound to the base system's public IP which traps port 80
of the base system's IP.

g) We make sure that nothing listens on * Every service is carefully
tailored to bind to a specific IP. For example, all sshd of every jail
listen specifically on their respective private IP.

natd_flags="-f /etc/natd.conf"

redirect_port tcp 12322

The specific objectives to fix are:

1) In the port redirect above to use the specific base system IP,
something like:

redirect_port tcp

2) When a connection is made from inside a jail bound to a public IP,
that it appears to come from that public IP and not from the first IP
assigned to em0

3) That ssh -b actually works correctly per point 2 above

4) Should we switch to kernel-based nat instead of natd?

Thanks in advance for any help!

Alejandro Imass

Want to link to this message? Use this URL: <>