Add a bridge on host for private network communications

ip link add name j type bridge
ip link set j up

lxc profile copy default jclients # Then edit eth0 like below

config: {}
description: Test j dhcp clients
devices:
  eth0:
    nictype: bridged
    parent: j
    type: nic
  root:
    path: /
    pool: dir
    type: disk
name: jclients

lxc profile copy default jfw # Then edit to add eth1 like below

config: {}
description: Test j firewall with 2 nics
devices:
  eth0:
    nictype: bridged
    parent: lxdbr0
    type: nic
  eth1:
    nictype: bridged
    parent: j
    type: nic
  root:
    path: /
    pool: dir
    type: disk
name: jfw

Create containers

lxc launch ubuntu:20.04 jfw -p jfw
lxc launch ubuntu:20.04 jclient1 -p jclients

Disable resolved

sudo systemctl disable systemd-resolved.service
sudo systemctl stop systemd-resolved
rm /etc/resolv.conf
echo "nameserver <mynamserver>" > /etc/resolv.conf

/etc/netplan/50-cloud-init.yaml

network:
  version: 2
  ethernets:
    eth0:
      dhcp4: true
    eth1:
      dhcp4: no
      dhcp6: true
      addresses: [ 192.168.200.1/24 ]

apt install dnsmasq

/etc/dnsmasq.conf

dhcp-option=15,"test.uvoo.io"
domain=test.uvoo.io
cache-size=10000 # df 150
except-interface=eth0
bind-interfaces
expand-hosts
dns-forward-max=1100
dhcp-option=3,0.0.0.0
dhcp-option=6,0.0.0.0
dhcp-range=eth1,192.168.200.100,192.168.200.200,12h # You don't need to specify interface as it should pick it up from int ip
dhcp-host=74:46:a0:92:5a:76,192.168.200.11 # lxd eno1
address=/jclientstatic.uvoo.io/192.168.200.11
address=/host1.jtest.io/192.168.200.12
ptr-record=12.200.168.192.in-addr.arpa.,"host1.jtest.io"

dnsmasq --test

restart service

systemclt restart dnsmasq

Install nftables

apt update && apt install nftables

/etc/nftables.conf

#!/usr/sbin/nft -f

flush ruleset

table inet filter {
        chain input {
                type filter hook input priority 0;
        }
        chain forward {
                type filter hook forward priority 0;
        }
        chain output {
                type filter hook output priority 0;
        }
}

# NAT
table ip nat {
        chain prerouting {
                type nat hook prerouting priority 0; policy accept;
        }

        # for all packets to WAN, after routing, replace source address with primary IP of WAN interface
        chain postrouting {
                type nat hook postrouting priority 100; policy accept;
                oifname "eth0" masquerade
        }
}

apt install bind9

/etc/bind/named.conf.options

// https://www.digitalocean.com/community/tutorials/how-to-configure-bind-as-a-caching-or-forwarding-dns-server-on-ubuntu-14-04
// https://docstore.mik.ua/orelly/networking_2ndEd/dns/ch10_05.htm
// https://kb.isc.org/docs/aa-00851
acl goodclients {
        192.0.200.0/24;
        localhost;
        localnets;
};

options {
        directory "/var/cache/bind";
        recursion yes;
        allow-query { goodclients; };

         forwarders {
                10.1.1.1;
         };
        forward only;

        auth-nxdomain no;    # conform to RFC1035

        dnssec-enable yes;
        dnssec-validation yes;
        // dnssec-validation auto;

        listen-on-v6 { any; };
};

Sniff traffic if wanted

sudo tcpdump -nnpli j

Alternate container create/apply

lxc init ubuntu:20.04 jfw
lxc init ubuntu:20.04 jclient1
lxc profile apply jfw jfw
lxc profile apply jclient1 jclients

Start containers

lxc start jfw
lxc start jclient1

Ref

• https://www.tecmint.com/setup-a-dns-dhcp-server-using-dnsmasq-on-centos-rhel/