Setting Up ezJail and Ports Collection on pfSense – Part 1

ezJail is a jail administration framework for FreeBSD jails. It makes jail administration very easy. ezJail on pfSense can enable us to integrate applications like HAProxy with pfSense in a way which is safe and sound for production environment. So let’s get started.

Part 1 will cover setting up of ezJail on pfSense.

Part 2 will cover setting up of Ports Collection on pfSense.

Step # 1: Install ezJail on pfSense

Install package ezjail-3.2.1 on pfSense 2.0.1

pkg_add –v ftp://ftp.riken.go.jp/pub/FreeBSD/releases/amd64/8.3-RELEASE/packages/sysutils/ezjail-3.2.1_1.tbz

Install ezJail on pfSense

Install ezJail on pfSense

Step # 2: Create Base Jail

Before creating a new jail we need to create a base jail. Base jail holds the base system (/bin, /boot, /sbin, /lib, /libexec, /rescue, /usr/{bin, include, lib, libexec, ports, sbin, share, src}). This base jail is mounted as read only into all jails saving disk space, inodes and even memory.

Since we do not have FreeBSD source on pfSense we will be using “ezjail-admin install” to create base jail from FTP servers.

ezjail-admin install –r "8.1-RELEASE" –h ftp.riken.go.jp

If command is not found, try running from [/usr/local/bin] ./ezjail-admin install –r ……… or restart your SSH session to pfSense.

Create Base Jail

Create Base Jail

Although, ezjail provides “ezjail-admin install –p” switch to provide for ports in base jail, however it uses portsnap which is not available on pfSense. You will see following error at the end of the base jail creation if using –P switch.

Portsnap Failed

Portsnap Failed

Part 2 of this post addresses this issue.

Step # 3: Create CARP Virtual IP

Each FreeBSD jail is bound to a specific IP address. So we will create new CARP virtual IP for our new jail. This IP should belong to one of the connected networks on pfSense. Once created, make sure you can ping this IP at least from the network to which it belongs.

Create Virtual IP

Create Virtual IP

Step # 4: Create new JAIL

Let’s name our jail as “ha.testnet.local”. Type the following command to create jail.

ezjail-admin create –r /jails/ha.testnet.local ha.testnet.local 192.168.29.101

You may see this warning on completion.

Create Jail

Create Jail

Configurations of all jails are stored under /usr/local/etc/ezjail/

Verify configuration of newly created jail by typing following command:

cd /usr/local/etc/ezjail
vi ha_testnet_local

Jail Config

Jail Config

Step # 5: Starting Jails Manually

Starting, stopping and checking status of jails is simple. Just type following commands from /usr/local/etc/rc.d

./ezjail onestart
./ezjail onestop
jls

Start Jail

Start Jail

Step # 6: Starting Jails Automatically with pfSense

The usual rc.d scripts added to /usr/local/etc/rc.d/ will not function on pfSense. There is no rc.conf and you cannot create one as it will be deleted. You’ll need to create your own startup script in /usr/local/etc/rc.d/ just making sure it ends with .sh and is marked as executable (chmod +x), and it will run at boot time.

Following script will start ezjail on pfSense’s startup.

#!/bin/sh

rc_start() {
	/usr/local/etc/rc.d/ezjail onestart
}

rc_stop() {
	/usr/local/etc/rc.d/ezjail onestop
}

case $1 in
	start)
		rc_start
		;;
	stop)
		rc_stop
		;;
	restart)
		rc_stop
		rc_start
		;;
esac

You can upload this script using pfSense’s -> Diagnostics -> Command Prompt and later copy /tmp/ezjail.sh to /usr/local/etc/rc.d/

If using Windows machine, make sure when you copy and paste this script into your preferred text editor, you convert it to UNIX format. End of Line (EOL) characters of UNIX and Windows differ. I use Notepad++ on Windows and it has nice function in “Edit->EOL Conversion->UNIX Format” to convert the file into UNIX format.

Make it executable and test it by manually running it.

chmod +x ezjail.sh
./ezjail.sh start
./ezjail.sh stop

Test Startup Script

Test Startup Script

Reboot pfSense and your jail should start automatically. Confirm by running jls.

Step # 7: Logging into Jail

jexec 1 sh
Login into Jail

Login into Jail

Move on to Part 2 to setup Ports Collection.

About Dinesh Sharma

Experienced system architect, programmer, and trainer. This blog is a way of giving back and helping the community. So feel free to ask a question or to leave a comment.

  • Pingback: Setting Up ezJail and Ports Collection on pfSense – Part 2 | DINESH SHARMA()

  • Pingback: Installing HAProxy on pfSense | DINESH SHARMA()

  • Dolbnin Dmitry

    Good day Dinesh !
    Unfortunately №3 doesn’t work for me, probably due to configuration error or the problems inside the release. I feel there should be some another way, but I cannot understand the problem completely because I’m still very new to BSD.
    Your suggestions are very appreciated.
    Best regards, Dimitry

    2.1-RC1 (amd64)
    built on Wed Aug 7 20:59:21 EDT 2013

    FreeBSD 8.3-RELEASE-p9

    • Hi,

      By No.3, do you mean you are not able to create a CARP virtual IP or what ?
      What’s the exact message or issue?

      • Dolbnin Dmitry

        Hello again Dinesh !

        Yes, it is CARP. If I’m trying to apply IP to any WAN port (I have two of them – MultiWAN) I’m having the following error

        The following input errors were detected:

        Sorry, we could not locate an interface with a matching subnet for 192.168.1.254/24. Please add an IP alias in this subnet on this interface.

        • Hi Dimitry,

          CARP IP needs to belong to a particular interface and in its range. In my case I had a private IP assigned to my WAN IP because the snapshots in post are of a test setup. However in production, If you want to bind the IP on WAN interface you have to use another WAN IP provided to you by your ISP. What I do in production in a multiwan situation is that I bind HAProxy to a DMZ network’s IP, where other web servers are hosted and then I forward required ports on both ISPs to HAProxy’s IP. This keeps the jail configuration simple.

          Hope this helps.

  • Pingback: Setting Up ezJail and Ports Collection on pfSense | AccessAdp.com()

  • Great !
    It is the thing I’ve searched for…
    Definitely, ezjail-admin is the best method.

  • Florian Heigl

    just out of my lack of understanding of pfSense:
    Will this persist across upgrades?

  • Nandhan

    Hi Dinesh, I know its already far late to ask, but i’m new with pfsense, I’m cause an issue with starting jails, i followed almost every step, but not sure i miss configured any one or not. I’m using “pfSense-CE-2.3.4-RELEASE-amd64” version . I’m able to ping to carp IP, able to see jails created but not able to start them. It will be really appreciable if you can suggest me a solution.

    Best regard, Nandhan