How to hide one bridge from a dual-homed host while retaining access for the lxc containers to both bridges?

my network has an “external” subnet and a “backoffice” subnet. there is a firewall between the external and backoffice subnets and a user on the backoffice subnet has to go thru the firewall to accesses resources on the external subnet.

this question concerns a dual-homed host with a physical nic on both subnets. the host has been configured with two bridges, one for each subnet, each with a physical nic.

this is not a question on how to provide network connectivity to the containers. there are a number of LXC containers on this host, some are configured to see only the external bridge and some are configure to see both bridges and that all works fine and as expected.

the is a question on how to control which bridges a non-lxc process or user sees without limiting connectivity for the LXC containers.

specifically, i would like to limit the network connectivity of a non-LXC process (or user) to only the back-office bridge so that packets from such a user or process will have to go thru the firewall to reach the external subnet.

with the current configuration the host has direct visibility to a nic on the external subnet and thus packets go directly from that nic to that subnet without passing thru the firewall.

any ideas on how to attack this?