[bb01100100]

Agreed on both counts - excellent write-up.

I use FreeBSD jails and get a lot of value out of separate network stacks for each (vnet jails).

Would the NetBSD approach here be to lean more heavily on your lan infra to register hostnames with static addresses (pointing at NetBSD host) and then run a host proxy to forward & port-map to the relevant cell? Or is this the wrong kind of use-case for cells?

[ggm]

I don't personally like proxies, intermediaries, but that said they've been entirely normalised by kubernetes/traefik/haproxy type setups. I do find managing the bridge pseudo-devices, and the various bindings, and DHCP/SLAAC a bit painful because I actually don't understand it well.

I use bastille, and it seems to "just work" and I looked at Sylve and it had huge potential. When I ask for some ELI5 on bridge/net stuff, I don't get traction so my confusion remains.

I think a lot of people enable NAT methods which aren't that far removed from a host proxy or port-map. I don't like NAT (see comment above about k8s)