[monotux]

> Virtual network for a bunch of jails with nat. I wanted exposed ports on the host machine mapped to a reverse proxy jail that did tls termination before forwarding to other jails on a virtual network (while allowing the jails on the virtual net outgoing internet access).

Jails are old, and there's a wealth of outdated documentation around which makes it confusing when trying to understand how things works.

In case someone else is reading this, it's not different from what Docker does automatically for you.

I typically use vnet (which gives the jail an entire virtualized network stack, something like macvlan?) and either use NAT or bridges for connectivity. NAT for machines with only one public IP (like VPSes) and bridges for homelab setup where I want a more visible setup.

When setting up NAT I just use PF as my firewall, and assign static addresses to each jail.

[chupasaurus]

Virtualized network stacks in Linux are network namespaces with a difference of not being tied to a specific "prison". So every Docker network regardless of type creates one.

[chillfox]

I never had any doubt that it was possible, I just couldn't figure out how to get it working and in the end decided to not bother with jails.

[monotux]

Ah, understandable. I remember being slightly confused when starting to use jails again, after being used to the near magical setup of Docker/etc on Linux. Like manually setting up bridges and VLANs to make it work like I wanted? WTH.

Now I dislike using Docker for similar tasks, as I find it to be more work than just doing the same setup with VNET, bridges and VLANs. I'm a fossil and I want to run different services on different VLANs, which in Docker lingo is considered "legacy application setup" (looking at the macvlan documentation).