Appears to be similar to When LXD creates NAT rules for proxy, could it also SNAT back hairpin connections from lxdbr0? … but why this one container? Why not all of them? In all cases, I’m not hair-pinning on the bridge from one container to another, it’s external traffic to the container that breaks.