how to make a non-vnet jail local only?

Ernie Luzar luzar722 at
Thu Aug 6 11:44:00 UTC 2020

Shane Ambler wrote:
> On 6/8/20 1:39 am, Arthur Chance wrote:
>> On 05/08/2020 15:17, Ernie Luzar wrote:
>>> Arthur Chance wrote:
>>>> On 05/08/2020 02:02, Ernie Luzar wrote:
>>>>> I have non-vnet jails working that can reach the public internet.
>>>>> But now I would like to make some local only non-vnet jails that can
>>>>> only access other local only non-vnet jails. BY local meaning have no
>>>>> access to the public internet.
>>>>> How do I make this happen?
>>>>> Thanks for any pointers.
>>>> Create a second loopback interface (cloned_interfaces="lo1" in
>>>> /etc/rc.conf or ifconfig lo1 create for manual control) and put the
>>>> local jails on lo1 without access to any other interface.
>>> I tested this already and it doesn't work.
>>> non-vnet jail with lo99 for the nic and ip address of can
>>> still reach the public internet.
> Do you have bridging or routing enabled?
> Routing can receive foreign packets on an interface and route them to a
> different interface.
> Bridging connects interfaces, sending the same packets on each.
> While I don't have jails setup, I use sysutils/vm-bhyve for bhyve
> instances. I have two "vm switches" which are bridge interfaces
> connecting bhyve instances with physical interfaces, one bridges with
> wlan0 and allows a vm to get internet access, the second bridges with
> re0, which has no physical connection and provides no internet access to
> bhyve instances, but I can ssh into it from the host.
> I have -
> 0
> 0
> 1
> 1
> net.inet.ip.sourceroute: 0

Using 12.1 generic with the system default for those settings.

More information about the freebsd-questions mailing list