> On 10. Dec 2025, at 12:09, Anthony Pankov <[email protected]> wrote:
>
> Hello,
>
> I'm again facing the problem of providing host-wide interface to all jails in
> a host.
> I want (for example) that there is a jail with unbound (DNS resolver/cacher)
> inside, binded to a host-wide interface. Host-wide interface has a well known
> address (IPv6 1::1/128 for example).
> All other jails simply put "nameserver 1::1" in its resolv.conf.
>
> The problem that jails can't share one ip address ("address clashes") and
> can't "inherit" one interface only. Inheriting is for a whole network as I
> see.
>
> May be someone have some suggestions?
>
>
> P.S. Sometime ago I solve this in a not a clean manner by supplying own
> loopback interface and unique address (127.0.X.1) to every jail in a host.
> Then jail with unbound bind to its 127.0.U.1, other jail must set "nameserver
> 127.0.U.1". This solution has administrative problems because of a dynamic
> nature of addresses (127.0.X.1). Thing get worse if jails transferred to a
> different host.
>
>
The way this is usually accomplished is:
- use vnet jails, connect them to a bridge on the jailhost, make DNS listen to
the bridge’s IP or
- make DNS listen on an IP reachable from within the jail and firewall off
access from other sources on your network (in this case no vnet is required)
There are also hacks (at least with IPv4) where you can have a rdr rule in
pf.conf that redirects dns traffic originating from your jail to your dns
server listening to 127.0.0.1. Think ‘rdr proto udp from $jailip to 1.2.3.4
port 53 -> 127.0.0.1`.
Sharing localhost among many jails isn’t really desirable unless you have very
compelling reasons (reaching a dns server doesn’t seem one of them to me, but
I don’t know the details of your setup).
Cheers
Michael
