Best practices with network settings for virtualization

[Miroslav Lachman]

I would like to ask some really experienced person - what is the best 
way to run virtual guests connected to network with public IPs?

I think many people run unsecure setup with guests with simple bridged 
network.

I know there are many options with tun, bridge, epair, VDE, Open vSwitch 
etc., my main concern is the setup of network where each guest can use 
only predefined MAC and predifined IP(s). If some malicious user or 
malware in guest OS tried to change MAC od IP, I would like to disallow 
that or do not allow any offending traffic to reach outside network or 
any other guest running on the same machine.
Guests can be VirtualBox, Bhyve or anything else.

I really appreciate any help or ideas.

--
Miroslav Lachman

PS: I don't know if this is the best lsit to ask, maybe freebsd-net@ is 
better place?