Hi everyone, I have a server (ubuntu 14.04 lts) running KVM with a few guests (each with static IP addresses) which I manage using libvirt. This machine has a wired interface (br0 / p2p1) connecting to my internal network and a wireless interface using dhcp (ppp0) as a secondary direct connection to the internet. My goal is route all administration traffic for both the host and guests through the wired interface (br0); while routing the service traffic, and _only_ this traffic, through the ppp0 interface. For example: One vm is a webserver and I wish to route all traffic on ports 80 & 443 from ppp0 to that vm. Another vm is a mailserver and I wish to route all the imap & pop traffic from ppp0 to that vm. At the same time, I wish to be able to ssh in through the wired interface (p2p1) and route all system maintenance traffic through the wired interface as well. Additionally I wish to drop/reject incoming traffic on ppp0 which is not on these specified ports. Reading the libvirt documentation, I have found a section which very nearly describes my needs: http://wiki.libvirt.org/page/Networking#Forwarding_Incoming_Connections Unfortunately, I am unsure how to correcting modify the given examples to meet my specific needs. To begin with, the examples assume a static external IP, while mine is dynamic. I think I would like to refer to interface by name (ppp0) or perhaps create a secondary bridge (br1) with a static IP, the ppp0 included with "bridge_prts ppp0" command, and then refer to the static IP of the new bridge (br1). Next, I don't see the correct mechanism which I could configure such that all traffic coming in ppp0 which was not on the specified ports is rejected/dropped and all administrative traffic, originating from both the host and guests, is routed through the wired interface. I am assuming that this also should be done through libvirt/virsh and not directly through iptables. If it matters, the wired interface connects to a router running shorewall (and thus the server is in the "dmz" zone). The server itself is not running shorewall or any other similar things. The router is managing the primary connection to internet, which is distinct from the secondary wireless interface on the server, it is connecting to a different ISP. If anyone could give me some advice or point me to some additional or more relevant documentation/examples I would really, really appreciate it. Thanks!