NAT

Thanks to virtual networks, AppJail can use NAT in two ways: manually, using appjail-nat(1) or automatically using appjail-quick(1).

Warning

You must read Packet Filter before using this option.

appjail quick jnat \
    virtualnet="development:jnat default" \
    nat \
    start
# explicitly
appjail quick jnat \
    virtualnet="development:jnat default" \
    nat="network:development" \
    overwrite \
    start

The nat option requires the network parameter to be defined, but as you can see in the example above, the virtual network development is the default network, which implies that the gateway is used as the default router, also, as appjail-quick(1) knows, it uses that network implicitly in some options like nat and expose.

You can apply NAT on multiple networks. This is useful only if you plan to use the source address for different purposes.

# appjail quick jnat \
    virtualnet="development:jn1 default" \
    virtualnet="web:jn2" \
    nat \
    nat="network:web" \
    start \
    overwrite
...
# appjail network hosts -REj jnat
192.128.0.2     development
10.0.0.2        web
# appjail cmd jexec jnat ping -c4 -S 192.128.0.2 8.8.8.8
PING 8.8.8.8 (8.8.8.8) from 192.128.0.2: 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=114 time=45.209 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=114 time=44.204 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=114 time=44.436 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=114 time=44.864 ms

--- 8.8.8.8 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 44.204/44.678/45.209/0.387 ms
# appjail cmd jexec jnat ping -c4 -S 10.0.0.2 8.8.8.8
PING 8.8.8.8 (8.8.8.8) from 10.0.0.2: 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=114 time=44.984 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=114 time=45.167 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=114 time=44.426 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=114 time=44.581 ms

--- 8.8.8.8 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 44.426/44.789/45.167/0.298 ms

To create NAT rules manually for an existing jail, we can use appjail-nat(1).

appjail quick jnat \
    virtualnet="development:jn1 default" \
    overwrite
appjail nat add jail -n development jnat
appjail-config set -Ij jnat exec.prestart='appjail nat on jail ${name}'
appjail-config set -Ij jnat exec.poststop='appjail nat off jail ${name}'
appjail start jnat

AppJail can apply NAT to an entire network space instead of a single jail. To do this, we need to use appjail-nat(1) network in the same way AppJail does for jails manually.

# appjail nat add network db
# appjail nat on network db
# appjail nat boot on network db
# service appjail-natnet status
NAT Information:

BOOT  NAME  RULE
1     db    nat on "jext" from 10.42.0.0/24 to any -> ("jext:0")

Status:

nat on jext inet from 10.42.0.0/24 to any -> (jext:0) round-robin

The appjail-nat(1) boot on network command sets the boot flag to apply NAT rules when starting FreeBSD using the appjail-natnet service.

Tip

To apply NAT to an entire network at startup, enable the RC script:

sysrc appjail_natnet_enable=YES

When applying NAT rules for networks, it can be useful to apply NONAT for a single jail to avoid masking its IP address. AppJail can do this in the same way as NAT rules.

# Using appjail quick:
appjail quick jnonat \
    virtualnet="db:jnonat default" \
    nonat \
    overwrite \
    start
# Manually:
appjail quick jnonat \
    virtualnet="db:jnonat default" \
    overwrite
appjail nat add jail -n db -N jnonat
appjail-config set -Ij jnonat exec.prestart='appjail nat on jail ${name}'
appjail-config set -Ij jnonat exec.poststop='appjail nat off jail ${name}'
appjail start jnonat

Info

Since IP forwarding is enabled, jails that are on different networks don't get isolation. This is not a problem when isolation is not necessary in such a way, you can use the firewall to block some packets, but you can also use virtual networks with IP forwarding enabled simply to get better organization. Consider using Bridges when possible.

Warning

If EXT_IF and ON_IF are configured to a vtnet device (e.g., vtnet0), you may experience extremely slow download speed inside the jail. That might relate to a checksum issue described here. You can set hw.vtnet.csum_disable="1" in /boot/loader.conf to make CPU to perform the checksum instead of your NIC to solve the problem temporarily.

See also:

Virtual Networks