Set this up with IPv6 and everything can talk directly to each other without all the extra NAT. Use the load balancer and port forward to expose services to the legacy Internet.

The AAAA record, IPv6's equivalent to the A record, is increasingly prevalent. dig defaults to only returning A records, so you'll need to do an additional query with the type set or use the host command, also included in bind-utils.

$ host has address has IPv6 address 2a03:2880:f112:83:face:b00c:0:25de mail is handled by 10