Add a bridge on host for private network communications

ip link add name j type bridge
ip link set j up

lxc profile copy default jclients # Then edit eth0 like below

config: {}
description: Test j dhcp clients
devices:
  eth0:
    nictype: bridged
    parent: j
    type: nic
  root:
    path: /
    pool: dir
    type: disk
name: jclients

lxc profile copy default jfw # Then edit to add eth1 like below

config: {}
description: Test j firewall with 2 nics
devices:
  eth0:
    nictype: bridged
    parent: lxdbr0
    type: nic
  eth1:
    nictype: bridged
    parent: j
    type: nic
  root:
    path: /
    pool: dir
    type: disk
name: jfw

Create containers

lxc launch ubuntu:20.04 jfw -p jfw
lxc launch ubuntu:20.04 jclient1 -p jclients

Disable resolved

sudo systemctl disable systemd-resolved.service
sudo systemctl stop systemd-resolved
rm /etc/resolv.conf
echo "nameserver <mynamserver>" > /etc/resolv.conf

apt install dnsmasq

/etc/dnsmasq.conf

dhcp-option=15,"test.uvoo.io"
domain=test.uvoo.io
cache-size=10000 # df 150
except-interface=eth0
bind-interfaces
expand-hosts
dns-forward-max=1100
dhcp-option=3,0.0.0.0
dhcp-option=6,0.0.0.0
dhcp-range=eth1,192.168.200.100,192.168.200.200,12h # You don't need to specify interface as it should pick it up from int ip

restart service

systemclt restart dnsmasq

Sniff traffic if wanted

sudo tcpdump -nnpli j

Alternate container create/apply

lxc init ubuntu:20.04 jfw
lxc init ubuntu:20.04 jclient1
lxc profile apply jfw jfw
lxc profile apply jclient1 jclients

Start containers

lxc start jfw
lxc start jclient1