OVH (and Soyoustart, of course) network seem to be configured in a "strange" way and setting failover IPs isn’t always as straightforward as you think it should be.

Sometimes you want (or need) to assign a public IP address to a FreeBSD jail without playing with NAT but there’s not much documentation on how to do it inside a jail.

Let’s suppose your FreeBSD host server’s public IP address is 1.2.3.4 and your failover ip is 6.7.8.9.

First of all, go to your Control Panel (OVH/Soyoustart/etc.) and generate a MAC address for the failover public ip address you want to assign to your jail. Let’s assume it’s ca:fe:ca:fe:ca:fe

Now let’s go back to the FreeBSD host and take a note of its gateway (it should be 1.2.3.254, but double check), you’ll need it later.

Now it’s time to create the jail. I love BastilleBSD as it’s light, has no dependencies and is being actively developed. I won’t cover how to install and bootstrap Bastille in this article, for further information have a look at the official documentation.

We need VNET for this purpose, so our jail will have its own complete network stack. If you’ve read that VNET is unstable, you’ve found some old articles. Don’t worry, you can use it now, it's stable.

So, let’s create our jail. Using VNET, a bridge interface will be created and both your physical and your jailed network interfaces will be attached. Let’s suppose our physical host interface is “em0” and let's call our jail "p1":

bastille create -V p1 14.2-RELEASE 6.7.8.9 em0

We're asking Bastille to create a (-V) VNET jail, called p1, it should be a FreeBSD 14.2-RELEASE, its ip will be 6.7.8.9 and the created bridge will be attached to em0. The jail will be created & started, but we’re not ready to use it, yet.

Let's stop the jail:

bastille stop p1

Let’s now modify the jail.conf as we have to set the interface MAC address we’ve generated on the web panel.

You’ll have something like this:

…
vnet;
 vnet.interface = e0b_bastille0;
 exec.prestart += "jib addm bastille0 em0";
 exec.prestart += "ifconfig e0a_bastille0 description \"vnet host interface for Bastille jail p1\"";
 exec.poststop += "jib destroy bastille0"; 
}

Let’s add this line after the exec.prestart += "jib addm bastille0 em0”;

exec.prestart += "ifconfig e0a_bastille0 ether ca:fe:ca:fe:ca:fe”;

Now, let’s configure the network interface inside the jail as Bastille couldn't figure out the "strange" OVH network configuration. Let’s edit the jail’s rc.conf file. If you’ve not messed up with Bastille’s setup, it should be:

/usr/local/bastille/jails/p1/root/etc/rc.conf

Remove the network settings already set by Bastille and replace with something like this:

ifconfig_vnet0="inet 6.7.8.9 netmask 255.255.255.255 broadcast 6.7.8.9"
static_routes="ovh"
route_ovh="-net 1.2.3.254 -iface vnet0"
defaultrouter="1.2.3.254"

The gateway is outside the jail's netmask, so FreeBSD must be instructed to set a static route that will allow connections to flow out reaching the "foreign" gateway (1.2.3.254) via a specific network interface.

Save, exit and start the jail:

bastille start p1

Congratulations, you can ping your jail's public ip and your jail will reach the outside world via its public IP address.