Are you sure there is exactly one DHCP server running?
Are you sure there is exactly one DHCP server running?
I’m exclusively running unprivileged LXC containers and haven’t had any issues regarding the firewall, neither with iptables nor nftables.
No, it is not like Docker. You can treat an LXC container pretty much like a VM in most instances, including firewall rules. To answer the question, you can use fail2ban just like you had done in your VM, meaning you can run it inside the LXC container, where fail2ban can change the firewall rules of that container as it sees fit.
You could give bubblewrap a try instead. It is quite similar to systemd-nspawn.
Try diasbling the second DHCP server altogether. You only need one, since you have a flat network.