Migrating Burningboard.net Mastodon Instance to a Multi-Jail FreeBSD Setup

Summary

Over the last few weeks, I’ve been working on migrating our Mastodon instance burningboard.net from its current Linux host to a modular FreeBSD jail-based setup powered by BastilleBSD. This post walks through the architecture and design rationale of my new multi-jail Mastodon system, with aggressive separation of concerns, centralized firewalling, and a fully dual-stack network design. Acknowledgements This work is based on the excellent post by Stefano Marinelli: “Installing Mastodon on a FreeBSD jail” Stefano’s article inspired me to try Mastodon on FreeBSD. My implementation takes that foundation and extends it for a more maintainable, production-ready architecture. Design Goals The motivation behind this move: Central PF firewall – all filtering, NAT, and routing are handled by the host only. Jails see a clean, local L2 view - no PF inside jails, no double NAT. Separation of concerns – every jail runs exactly one functional service: nginx — reverse proxy + TLS termination mastodonweb — Puma / Rails web backend mastodonsidekiq — background jobs database — PostgreSQL and Valkey (Redis fork) Host‑managed source – Mastodon source tree shared via nullfs between web and sidekiq jails. Common .env.production, shared dependencies, single codebase to maintain. Clean dual‑stack (IPv4 + IPv6) – every component visible under both protocols; no NAT66 or translation hacks. Predictable networking – each functional group lives on its own bridge with private address space. Jail and Network Overview Example address plan (using RFC 5737 and 3849 documentation spaces): Jail Purpose IPv4 IPv6 nginx Reverse proxy 192.0.2.13 2001:db8:8000::13 mastodonweb Rails backend 198.51.100.9 2001:db8:9000::9 mastodonsidekiq Workers 198.51.100.8 2001:db8:b000::8 database PostgreSQL + Valkey 198.51.100.6 2001:db8:a000::6 Host “burningboard.example.net” 203.0.113.1 2001:db8::f3d1 Each functional bucket gets its own bridge(4) interface on the host (bastille0..bastille3) and its own /24 and /64 subne...