diff --git a/agent/src/com/cloud/agent/resource/computing/LibvirtComputingResource.java b/agent/src/com/cloud/agent/resource/computing/LibvirtComputingResource.java
index 674cc986503..9adade3ad4e 100644
--- a/agent/src/com/cloud/agent/resource/computing/LibvirtComputingResource.java
+++ b/agent/src/com/cloud/agent/resource/computing/LibvirtComputingResource.java
@@ -3189,8 +3189,14 @@ public class LibvirtComputingResource extends ServerResourceBase implements Serv
             return false;
         }
         /*FIX ME: */
-        InterfaceDef intf = intfs.get(intfs.size() - 1);
-        String brname = intf.getBrName();
+        String brname = null;
+        if (vmName.startsWith("r-")) {
+            InterfaceDef intf = intfs.get(0);
+            brname = intf.getBrName();
+        } else {
+            InterfaceDef intf = intfs.get(intfs.size() - 1);
+            brname = intf.getBrName();
+        }
         
     	Script cmd = new Script(_securityGroupPath, _timeout, s_logger);
     	cmd.add("default_network_rules_systemvm");
diff --git a/server/src/com/cloud/network/guru/DirectNetworkGuru.java b/server/src/com/cloud/network/guru/DirectNetworkGuru.java
index e149ab04aba..2435076431e 100644
--- a/server/src/com/cloud/network/guru/DirectNetworkGuru.java
+++ b/server/src/com/cloud/network/guru/DirectNetworkGuru.java
@@ -120,6 +120,11 @@ public class DirectNetworkGuru extends AdapterBase implements NetworkGuru {
             }
         }
         
+        if (config.isSecurityGroupEnabled()) {
+            config.setName("SecurityGroupEnabledNetwork");
+            config.setDisplayText("SecurityGroupEnabledNetwork");
+        }
+        
        return config;
     }
     
diff --git a/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java b/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java
index 96adcd7ccf4..8e5996c0e23 100644
--- a/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java
+++ b/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java
@@ -789,7 +789,7 @@ public class VirtualNetworkApplianceManagerImpl implements VirtualNetworkApplian
         Long podId = dest.getPod().getId();
         
         //In Basic zone and Guest network we have to start domR per pod, not per network
-        if (dc.getNetworkType() == NetworkType.Basic && guestNetwork.getTrafficType() == TrafficType.Guest) {
+        if ((dc.getNetworkType() == NetworkType.Basic || guestNetwork.isSecurityGroupEnabled()) && guestNetwork.getTrafficType() == TrafficType.Guest ) {
             router = _routerDao.findByNetworkAndPod(guestNetwork.getId(), podId);
         } else {
             router = _routerDao.findByNetwork(guestNetwork.getId());
diff --git a/server/src/com/cloud/network/security/SecurityGroupManagerImpl.java b/server/src/com/cloud/network/security/SecurityGroupManagerImpl.java
index 6e41477ed00..0f1c5a1e463 100644
--- a/server/src/com/cloud/network/security/SecurityGroupManagerImpl.java
+++ b/server/src/com/cloud/network/security/SecurityGroupManagerImpl.java
@@ -417,7 +417,7 @@ public class SecurityGroupManagerImpl implements SecurityGroupManager, SecurityG
 	}
 	
 	protected void handleVmMigrated(VMInstanceVO vm) {
-	    if (vm.getType() == VirtualMachine.Type.User )
+	    if (vm.getType() == VirtualMachine.Type.User || !isVmSecurityGroupEnabled(vm.getId()))
             return;
 	    NetworkRulesSystemVmCommand nrc = new NetworkRulesSystemVmCommand(vm.getInstanceName(), vm.getType());
 	    Commands cmds = new Commands(nrc);