Jail question

[Matthew Law]

I have a single box on which I would like to run openvpn, smtp (postfix,
dspam, greylist, clamav), imap (dovecot) apache22 and bind.  This box also
acts as a network gateway so it would give an attacker carte blanche to
the internal nets if it was compromised, which makes me nervous.  The plan
is to run openvpn as the only unjailed service and the rest of the
services in a single jail or their own jails.

I have never touched jails before and I'm a bit unsure of the best way to
go.  I realise that I can jail a service or a copy of the whole system
(service would be preferable for space efficiency) but I am unclear on how
to deal with IP addresses in jailed environments and if I should create
individual jails or a single jail for all services.  At the moment I am
leaning toward a single system jail for everything so I can keep the space
in which openvpn runs as uncluttered as possible and also have a single
postgres instance shared by the other services.  Basically, if any of the
public services in the jail are compromised I would like to make it very
hard for the attacker to see the internal network.

If I use this scheme must I use separate public IPs for openvpn and the
services jail or is it possible to use a single IP or some NAT/PAT scheme?
-this box currently has 4 x NICs split into 2x lagg interfaces in failover
mode (one public, one private), if that makes any difference....

Sorry for the rambling question and I hope this makes sense!

Matt.