Setting Up ezJail and Ports Collection on pfSense – Part 2

In Part 1 we installed ezJail in pfSense, created a new jail, and then made that jail to start automatically with pfSense. In this part we will setup Ports Collection on pfSense so that we can install ports inside our jail. This Ports Collection can also be shared with more than one jail on pfSense.

ezJail installs a base jail that holds the base image. This base jail is mounted read-only in all jails we create using ezJail.

Following diagram shows how the base jail is mounted in jails we create.

ezJail - Base Jail

ezJail – Base Jail

Basically base jail is exposed inside a jail as “basejail” directory. System directories inside jail {bin, boot, … ,/usr/ports} etc are just soft links of directories in this read-only “basejail” directory.

When installing a base jail ezJail supports installing Ports Collection in base jail using portsnap. However, as portsnap is not available on pfSense it fails to create Ports Collections in base jail.

However portsnap is included in base image. So we will install Ports Collection using portsnap from within the jail.

So we need read-write access to “ports directory of base jail” inside our jail.

Following diagram shows how we are going to do this.

ezJail - Ports Collection

ezJail – Ports Collection

Step # 1: Create “ports” Directory in base jail

We need to first create ports directory in base jail as shown below.

cd /usr/jails/basejail/usr/

mkdir ports

Step # 2: Create a read write mount point for “ports”

In our jail directory we will create a mount point as “baseports”. “baseports” will serve us a read write access to ports directory of base jail.

cd /jails/ha.testnet.local/

mkdir baseports

Step # 3: Expose Read-Write Access to Base Jail Ports inside jail

mount_nullfs /usr/jails/basejail/usr/ports/ baseports
Mount Ports

Mount Ports

Step # 4: Re-Link /usr/ports inside Jail, to “baseports”

Login into jail:

jexec 1 sh

Re-link /usr/ports:

cd /usr

unlink ports

ln –s /baseports ports

Re-link Ports

Re-link Ports

Step # 5: Ensure internet access in jail to install ports

Make sure jail IP is allowed in firewall rules. Also make sure you configure /etc/resolv.conf as shown below.

echo nameserver >> /etc/resolv.conf

echo nameserver >> /etc/resolv.conf

Step # 6: Install Ports Collection

Finally let us install Ports Collection using:

portsnap fetch extract
Install Ports Collection

Install Ports Collection

Step # 7 (Optional): Re-Link /usr/ports to Read-Only copy of “ports in base jail”

cd /usr

unlink ports

ln –s /basejail/usr/ports ports

Step # 8 (Optional): Un-mount Read-Write access to “ports in base jail”

On pfSense issue following command:

umount /jails/ha.testnet.local/baseports
About Dinesh Sharma

Experienced system architect, programmer, and trainer. This blog is a way of giving back and helping the community. So feel free to ask a question or to leave a comment.

  • Pingback: Installing HAProxy on pfSense | DINESH SHARMA()

  • Pingback: Setting Up ezJail and Ports Collection on pfSense - Part 1 - DINESH SHARMA()

  • Dolbnin Dmitry

    Good day Dinesh ! I’m out of ideas with /mount_nullfs: Resource deadlock avoided/ while trying /

    mount_nullfs /usr/jails/basejail/usr/ports/ baseports/

    2.1-RC1 (amd64)
    built on Tue Jul 30 18:29:31 EDT 2013

    FreeBSD 8.3-RELEASE-p9

    Your suggestions are very appreciated.
    Best regards, Dimitry.

    • Hi Dimitry,


      Please make sure that you have first created the baseports directory.
      Then try the following command, WITHOUT the trailing slash.

      mount_nullfs /usr/jails/basejail/usr/ports/ baseports

      Also you may get this error if baseports directory is already mounted.
      Check with mount command.

      Best Regards

      • Dolbnin Dmitry

        Thank you, Dinesh !
        I’ll do this ASAP and let you know.
        Kind regards, Dimitry.

        • Dolbnin Dmitry

          Downloaded and installed fresh snapshot and everything worked just fine.
          Thank you Dinesh for your patience 🙂
          Best regards, Dimitry.

  • Alexandre


    Thank you for this tutorial, but I have a little problem to Step 6:
    portsnap fetch extract

    proxy# cat /etc/resolv.conf
    proxy# portsnap fetch extract
    Looking up mirrors… none found.
    Fetching public key from… failed.
    No mirrors remaining, giving up.

    Pfsense configured like this:
    (IP WAN (route – pfsense – LAN (192.168.10.x)

    Will you help me solve this problem please?

    • Hi Alexandre,

      Name servers are fine.
      But are you sure you have allowed access to internet for your JAIL_IP (?) in pfsense’s access rules?

      Try running nslookup in jail to confirm.

      • Alexandre

        No, I did not allow Internet access. The problem is solved now.


  • Andyrue

    I hope you’re still monitoring this. After doing all of the above, I cd into a ports tree directory and try running “make fetch” and it results in the following error.

    Unknown modifier ‘t’

    “/usr/ports/Mk/”, line 1767: Malformed conditional (defined(USE_RC_SUBR) && ${USE_RC_SUBR:tu} != “YES”)

    Unknown modifier ‘t’

    Unknown modifier ‘t’

    Unknown modifier ‘t’

    Unknown modifier ‘t’

    “/usr/ports/Mk/”, line 957: Malformed conditional (!empty(_PERL_CPAN_ID) && ${_PERL_CPAN_FLAG:tl} == “cpan”)

    Unknown modifier ‘t’

    “/usr/ports/Mk/”, line 2929: Unclosed conditional/for loop

    “/usr/ports/Mk/”, line 2929: Unexpected end of file in for loop.

    “/usr/ports/Mk/”, line 6706: Unclosed conditional/for loop

    “/usr/ports/Mk/”, line 6706: Unexpected end of file in for loop.

    make: fatal errors encountered — cannot continue

    • Hi Andyrue,

      You can use fetch as usually, no need to run “make fetch”. Which port are you trying to install?

      • Andyrue

        Simple enough….thanks!

  • Andyrue

    I have added the script to /usr/local/etc/rc.d but when I reboot the server I actually get two copies of my jail environment running. If I remove the shell script I don’t get any instances. Any idea why I have two of them?

    • Does the same happens when you manually start the
      Try using /usr/local/etc/rc.d/ezjail onestart .

      • Andyrue

        It only starts one when I manually run it. What’s interesting is it seems that any .sh script I put in /usr/local/etc/rc.d ends up getting run twice. Not sure if it’s a bug within pfSense or what, I found a couple other threads with people having the same problem, but just found work arounds for their purpose or never had resolution.

  • josh4trunks

    wow this is great. I’ve been using pfsense/freenas/freebsd for a while and could have figured this out myself. But the information here is presented so well and clearly this really saved me time and effort!