Help with natd on a specific IP when multiple IPs on same interface

Alejandro Imass aimass at
Tue Oct 22 12:38:19 UTC 2013

On Fri, Oct 18, 2013 at 9:53 AM, Alejandro Imass <aimass at> wrote:
> Hi,
> A while back I posted a problem related to natd on an single interface
> with multiple IPs. We use use natd to enable Internet access to a
> bunch of jails and also to redirect specific ports to some of the
> jails, whilst other jails may be bound to public IPs as well.
> The problem is that once natd is in operation, all the outbound
> traffic appears to come from the first public IP assigned to the
> interface.
> Is there any way to more granularly configure natd (static nat
> perhaps?) so that traffic that is bound to the other public IPs (i.e.
> from a jail that is bound to another public IP of the same interface)
> appears to come from the correct IP?
> Our overall set-up is pretty simple:
> a) A single nic (em0) with multiple public IPs
> b) All jails have one private IP in 192.168.101.x which are all aliases of lo0
> c) Some jails may have both the private IP and also a public public
> IP. Any public IP bound to a specific jail is unique to that jail.
> d) One public IP is reserved for the base system
> e) For those jails that don't have public IPs we redirect the shh port
> with natd as well, using a port number scheme xxx22 where xxx is the
> last digits of the private IP
> f) HTTP inbound traffic is reverse-proxied using Apache mod_proxy to
> those jails that don't have public IP. The central proxy is also a
> jail that is bound to the base system's public IP which traps port 80
> of the base system's IP.
> g) We make sure that nothing listens on * Every service is carefully
> tailored to bind to a specific IP. For example, all sshd of every jail
> listen specifically on their respective private IP.
> rc.conf
> -----------
> natd_enable="YES"
> natd_interface="em0"
> natd_flags="-f /etc/natd.conf"
> natd.conf
> --------------
> redirect_port tcp 12322
> etc...
> The specific objectives to fix are:
> 1) In the port redirect above to use the specific base system IP,
> something like:
> redirect_port tcp
> 2) When a connection is made from inside a jail bound to a public IP,
> that it appears to come from that public IP and not from the first IP
> assigned to em0
> 3) That ssh -b actually works correctly per point 2 above
> 4) Should we switch to kernel-based nat instead of natd?
> Thanks in advance for any help!
> --
> Alejandro Imass

Greetings FBSD crowd!

Is anyone else experiencing this? Did I describe the issue correctly?
Can I provide more information on the problem?


Alejandro Imass

More information about the freebsd-questions mailing list