FreeBSD Networking: Complete Administration Guide (2026)

This guide covers every major networking subsystem in FreeBSD 14. Each section is self-contained -- jump to what you need. For deep dives, follow the links to dedicated articles.

1. Network Interface Configuration

Listing Interfaces

sh
ifconfig -a

To see only interface names and their status:

sh
ifconfig -l
ifconfig -lu  # only UP interfaces
ifconfig -ld  # only DOWN interfaces

Static IP via rc.conf

The persistent way to configure interfaces is through /etc/rc.conf. Use sysrc to avoid manual editing errors:

sh
sysrc ifconfig_em0="inet 192.168.1.10 netmask 255.255.255.0"
sysrc defaultrouter="192.168.1.1"

This writes to /etc/rc.conf and takes effect on reboot or when you restart networking:

sh
service netif restart && service routing restart

DHCP

For DHCP on a specific interface:

sh
sysrc ifconfig_em0="DHCP"

FreeBSD uses dhclient by default. To apply immediately:

sh
dhclient em0

Runtime Changes

For temporary changes that do not survive reboot:

sh
ifconfig em0 inet 10.0.0.5 netmask 255.255.255.0
ifconfig em0 up

Interface Aliases (Multiple IPs)

sh
sysrc ifconfig_em0_alias0="inet 192.168.1.20 netmask 255.255.255.255"
sysrc ifconfig_em0_alias1="inet 192.168.1.21 netmask 255.255.255.255"

Reload with service netif restart.

2. VLANs

FreeBSD uses the if_vlan kernel module for 802.1Q VLAN tagging. See the full walkthrough in FreeBSD VLANs: Complete Guide.

Load the Module

sh
sysrc kld_list+="if_vlan"
kldload if_vlan

Create a VLAN Interface

VLAN 100 on physical interface em0:

sh
sysrc vlans_em0="100 200"
sysrc ifconfig_em0_100="inet 10.100.0.1 netmask 255.255.255.0"
sysrc ifconfig_em0_200="inet 10.200.0.1 netmask 255.255.255.0"

Or create at runtime:

sh
ifconfig em0.100 create
ifconfig em0.100 inet 10.100.0.1/24 up

Trunk Ports

Your upstream switch port must be configured as a trunk carrying the tagged VLANs. FreeBSD handles the tagging/untagging on its end -- no special configuration beyond creating the VLAN interfaces.

Inter-VLAN Routing

Enable IP forwarding and FreeBSD routes between VLAN interfaces automatically:

sh
sysrc gateway_enable="YES"
sysctl net.inet.ip.forwarding=1

See FreeBSD Router and Gateway Setup for a complete routing configuration.

3. Bridging

Bridging connects two or more interfaces at Layer 2. Uses include transparent firewalling and VM networking.

Load and Create

sh
kldload if_bridge
sysrc kld_list+="if_bridge"

sh
sysrc cloned_interfaces="bridge0"
sysrc ifconfig_bridge0="addm em0 addm em1 up"
sysrc ifconfig_em0="up"
sysrc ifconfig_em1="up"

Assign an IP to the Bridge

If the host needs an IP on the bridged network:

sh
sysrc ifconfig_bridge0="inet 192.168.1.10 netmask 255.255.255.0 addm em0 addm em1 up"

STP (Spanning Tree)

Enable STP to prevent loops:

sh
ifconfig bridge0 stp em0 stp em1

Persistent in rc.conf:

sh
sysrc ifconfig_bridge0="addm em0 stp em0 addm em1 stp em1 up"

4. Link Aggregation (LAGG)

LAGG bonds multiple interfaces for redundancy or throughput. See lagg(4) for protocol details.

Load the Module

sh
kldload if_lagg
sysrc kld_list+="if_lagg"

Failover Mode

Active/backup -- traffic uses the first interface, fails over to the second:

sh
sysrc cloned_interfaces="lagg0"
sysrc ifconfig_em0="up"
sysrc ifconfig_em1="up"
sysrc ifconfig_lagg0="laggproto failover laggport em0 laggport em1 inet 192.168.1.10 netmask 255.255.255.0"

LACP (802.3ad)

Requires switch-side LACP configuration:

sh
sysrc ifconfig_lagg0="laggproto lacp laggport em0 laggport em1 inet 192.168.1.10 netmask 255.255.255.0"

Verify aggregation status:

sh
ifconfig lagg0

Look for ACTIVE on both ports and the lacp collector/distributor state.

5. Routing

Default Gateway

sh
sysrc defaultrouter="192.168.1.1"

Static Routes

Add a route to 10.20.0.0/16 via gateway 192.168.1.254:

sh
sysrc static_routes="office"
sysrc route_office="-net 10.20.0.0/16 192.168.1.254"

Apply without reboot:

sh
service routing restart

Or add at runtime:

sh
route add -net 10.20.0.0/16 192.168.1.254

View the Routing Table

sh
netstat -rn

Enable IP Forwarding (Router/Gateway)

sh
sysrc gateway_enable="YES"
sysctl net.inet.ip.forwarding=1

For a full gateway build with NAT, see FreeBSD Router and Gateway Setup.

6. PF Firewall

PF is the standard FreeBSD packet filter. For a detailed walkthrough, see PF Firewall on FreeBSD.

Enable PF

sh
sysrc pf_enable="YES"
sysrc pflog_enable="YES"

Basic pf.conf

Edit /etc/pf.conf:

sh
# Macros
ext_if = "em0"
int_if = "em1"
lan_net = "192.168.1.0/24"

# Options
set skip on lo0
set block-policy drop

# Scrub
scrub in all

# NAT (outbound for LAN)
nat on $ext_if from $lan_net to any -> ($ext_if)

# Default deny
block all

# Allow outbound
pass out on $ext_if proto { tcp udp icmp } from any to any keep state

# Allow LAN to firewall
pass in on $int_if from $lan_net to any keep state

# Allow SSH to firewall
pass in on $ext_if proto tcp from any to ($ext_if) port 22 keep state

Load and Manage Rules

sh
pfctl -f /etc/pf.conf     # reload rules
pfctl -sr                  # show loaded rules
pfctl -ss                  # show state table
pfctl -si                  # show counters
service pf start           # start PF

NAT and Port Forwarding

NAT for outbound traffic is shown above. For port forwarding (e.g., forward port 443 to an internal host):

sh
rdr on $ext_if proto tcp from any to ($ext_if) port 443 -> 192.168.1.50 port 443

Place rdr rules before filter rules. See NAT on FreeBSD with PF for advanced NAT scenarios.

7. DNS with Unbound

FreeBSD ships with Unbound in base (/usr/sbin/local-unbound) for local caching resolution. For a full-featured resolver serving your LAN, install the Unbound package. See Unbound DNS on FreeBSD for a complete setup guide.

Install and Enable

sh
pkg install unbound
sysrc unbound_enable="YES"

Basic Configuration

Edit /usr/local/etc/unbound/unbound.conf:

sh
server:
    interface: 0.0.0.0
    access-control: 192.168.1.0/24 allow
    access-control: 127.0.0.0/8 allow

    hide-identity: yes
    hide-version: yes

    # Performance
    num-threads: 2
    msg-cache-size: 64m
    rrset-cache-size: 128m

    # DNSSEC
    auto-trust-anchor-file: "/usr/local/etc/unbound/root.key"

forward-zone:
    name: "."
    forward-addr: 1.1.1.1
    forward-addr: 9.9.9.9

Start and Test

sh
service unbound start
drill @127.0.0.1 freebsd.org

Point /etc/resolv.conf at localhost:

sh
echo "nameserver 127.0.0.1" > /etc/resolv.conf

8. DHCP Server

Use the ISC DHCP server to hand out addresses on your LAN. Package: isc-dhcp44-server. Full guide: DHCP Server on FreeBSD.

Install and Enable

sh
pkg install isc-dhcp44-server
sysrc dhcpd_enable="YES"
sysrc dhcpd_ifaces="em1"

Configuration

Edit /usr/local/etc/dhcpd.conf:

sh
authoritative;
default-lease-time 3600;
max-lease-time 86400;

subnet 192.168.1.0 netmask 255.255.255.0 {
    range 192.168.1.100 192.168.1.200;
    option routers 192.168.1.1;
    option domain-name-servers 192.168.1.1;
    option domain-name "local.lan";
}

# Static assignment
host webserver {
    hardware ethernet aa:bb:cc:dd:ee:ff;
    fixed-address 192.168.1.50;
}

Start

sh
service isc-dhcpd start

Check leases in /var/db/dhcpd/dhcpd.leases.

9. VPN with WireGuard

WireGuard is the simplest way to set up a modern VPN on FreeBSD. Package: wireguard-tools. Full guide: WireGuard on FreeBSD.

Install

sh
pkg install wireguard-tools

The if_wg kernel module ships with FreeBSD 14 base.

Generate Keys

sh
wg genkey | tee /usr/local/etc/wireguard/server_private.key | wg pubkey > /usr/local/etc/wireguard/server_public.key
chmod 600 /usr/local/etc/wireguard/server_private.key

Server Configuration

Create /usr/local/etc/wireguard/wg0.conf:

sh
[Interface]
PrivateKey = <server_private_key>
ListenPort = 51820
Address = 10.0.0.1/24

[Peer]
PublicKey = <client_public_key>
AllowedIPs = 10.0.0.2/32

Enable and Start

sh
sysrc wireguard_interfaces="wg0"
sysrc wireguard_enable="YES"
service wireguard start

Verify the tunnel:

sh
wg show

To route all client traffic through the VPN, enable NAT on the server (see PF section above) and set AllowedIPs = 0.0.0.0/0 on the client.

10. IPv6

SLAAC (Stateless Address Autoconfiguration)

For automatic IPv6 address assignment via router advertisements:

sh
sysrc ifconfig_em0_ipv6="inet6 accept_rtadv"
sysrc rtsold_enable="YES"

Static IPv6

sh
sysrc ifconfig_em0_ipv6="inet6 2001:db8::1 prefixlen 64"
sysrc ipv6_defaultrouter="2001:db8::fffe"

DHCPv6

Install and configure a DHCPv6 client:

sh
pkg install dhcp6
sysrc dhcp6c_enable="YES"
sysrc dhcp6c_interfaces="em0"

Dual-Stack

Run both IPv4 and IPv6 on the same interface -- just set both:

sh
sysrc ifconfig_em0="inet 192.168.1.10 netmask 255.255.255.0"
sysrc ifconfig_em0_ipv6="inet6 accept_rtadv"

IPv6 Forwarding (Router)

sh
sysrc ipv6_gateway_enable="YES"
sysctl net.inet6.ip6.forwarding=1

Router Advertisements with rtadvd

If this FreeBSD box is an IPv6 router:

sh
sysrc rtadvd_enable="YES"
sysrc rtadvd_interfaces="em1"

Configure /etc/rtadvd.conf:

sh
em1:\
    :addr="2001:db8:1::":prefixlen#64:

11. Network Performance Tuning

For a comprehensive guide, see FreeBSD Performance Tuning.

Key sysctl Tunables

Add to /etc/sysctl.conf for persistence:

sh
# Increase socket buffer sizes
net.inet.tcp.sendbuf_max=16777216
net.inet.tcp.recvbuf_max=16777216
net.inet.tcp.sendbuf_auto=1
net.inet.tcp.recvbuf_auto=1
net.inet.tcp.sendbuf_inc=16384
net.inet.tcp.recvbuf_inc=524288

# Enable TCP BBR or RACK congestion control (FreeBSD 14)
cc_bbr_load="YES"   # add to /boot/loader.conf
net.inet.tcp.cc.algorithm=bbr

# Increase connection backlog
kern.ipc.soacceptqueue=1024
kern.ipc.somaxconn=1024

# Increase mbuf clusters for high-throughput
kern.ipc.nmbclusters=262144

NIC Ring Buffers and Queues

Check current settings:

sh
sysctl dev.em.0.rx_ring_size
sysctl dev.em.0.tx_ring_size

Many modern drivers (igb, ixl, mlx5en) allow tuning via ifconfig:

sh
ifconfig em0 rxcsum txcsum tso lro

Interrupt Coalescing

For igb/ixl NICs, reduce interrupt overhead:

sh
sysctl dev.igb.0.rx_itr=200
sysctl dev.igb.0.tx_itr=200

Disable Power Saving on NICs

Power management can introduce latency:

sh
sysctl dev.igb.0.power_saving=0

loader.conf Tuning

Add to /boot/loader.conf:

sh
# Increase network mbuf allocation
kern.ipc.nmbclusters="262144"

# Load congestion control module
cc_bbr_load="YES"

# NUMA-aware networking (multi-socket servers)
net.inet.tcp.per_cpu_timers=1

12. Troubleshooting

tcpdump

Capture packets on an interface:

sh
tcpdump -i em0 -n -c 100
tcpdump -i em0 -n host 192.168.1.50
tcpdump -i em0 -n port 53
tcpdump -i em0 -n -w /tmp/capture.pcap  # write to file

netstat

View active connections and listening sockets:

sh
netstat -an                 # all connections
netstat -an -f inet         # IPv4 only
netstat -rn                 # routing table
netstat -s -p tcp           # TCP stats
netstat -i                  # interface stats

sockstat

Show which processes are bound to which ports:

sh
sockstat -l                 # listening sockets
sockstat -4 -l              # IPv4 listening only
sockstat -P tcp -l          # TCP listeners only

arp

Inspect and manage the ARP table:

sh
arp -a                      # show ARP cache
arp -d 192.168.1.50         # delete a specific entry
arp -d -a                   # flush ARP cache

DNS Troubleshooting

sh
drill freebsd.org @127.0.0.1
host freebsd.org
dig +trace freebsd.org

Interface Diagnostics

sh
ifconfig em0                # show stats, errors, drops
sysctl dev.em.0             # driver-level counters

PF Debugging

sh
pfctl -sr                   # show rules
pfctl -ss                   # show state table
pfctl -vvsr                 # verbose rules with counters
tcpdump -i pflog0 -n        # read PF log interface

Common Issues

No connectivity after reboot: Check that sysrc entries are correct and service netif restart && service routing restart applies them. Verify defaultrouter is set.

VLAN traffic not passing: Confirm the upstream switch port is configured as a trunk. Check that if_vlan is loaded with kldstat | grep if_vlan.

PF blocking legitimate traffic: Temporarily disable PF with pfctl -d, test connectivity, then inspect your rules. Use pfctl -vvsr to see which rules are matching.

Slow throughput: Check for packet errors with netstat -i. Verify hardware offloads are enabled (ifconfig em0 | grep options). Apply the sysctl tunables from Section 11.

FAQ

How do I configure a static IP address on FreeBSD?

Use sysrc to write the interface configuration to /etc/rc.conf:

sh
sysrc ifconfig_em0="inet 192.168.1.10 netmask 255.255.255.0"
sysrc defaultrouter="192.168.1.1"
service netif restart && service routing restart

Replace em0 with your actual interface name. Run ifconfig -l to list interfaces.

How do I set up FreeBSD as a network gateway or router?

Enable IP forwarding, configure at least two interfaces (WAN and LAN), set up NAT with PF, and optionally run DHCP and DNS for your LAN. The minimum configuration:

sh
sysrc gateway_enable="YES"
sysrc pf_enable="YES"

Then add NAT rules to /etc/pf.conf. See FreeBSD Router and Gateway Setup for the complete walkthrough.

What is the best VPN for FreeBSD?

WireGuard is the recommended choice for most use cases on FreeBSD 14. The if_wg module is in the base system, setup takes minutes, and performance is significantly better than OpenVPN. Install wireguard-tools and follow WireGuard on FreeBSD.

How do I troubleshoot network issues on FreeBSD?

Start with ifconfig to verify the interface is UP with the correct IP. Check the routing table with netstat -rn. Use tcpdump -i em0 -n to see packets. If PF is active, run pfctl -sr to review rules and tcpdump -i pflog0 to see blocked packets. Check for DNS issues with drill or host. See Section 12 above for the full troubleshooting toolkit.