UFW and routed Containers

Greetings, back with another UFW/LXD question. I have two containers that obtain IP’s via the “routed” feature as described here: Mi blog la!. Notwithstanding one container being assigned two virtual nics (see below) it appears to work flawlessly:

+------------+---------+-----------------------+-----------------------------------------------+-----------+-----------+
| navidrome  | RUNNING | 192.168.86.105 (eth0) |                                               | CONTAINER | 0         |
+------------+---------+-----------------------+-----------------------------------------------+-----------+-----------+
| plex       | RUNNING | 192.168.86.106 (eth1) | fd42:248c:b6e4:e4ac:216:3eff:fe0e:8dde (eth0) | CONTAINER | 0         |
|            |         | 192.168.86.106 (eth0) |                                               |           |           |
+------------+---------+-----------------------+-----------------------------------------------+-----------+-----------+

The issue I am running into is that I can’t seem to create a UFW rule that persistently routes requests through the firewall and onto the two routed containers.

Previously I had been having issues with a container that obtained its ip via lxdbr0. This was easily solved via the advice found here: lxdbr0 fix.

However, this will not work for routed containers because it seems the “bridges” (pardon if this is not the correct term) change. For instance, here are the relevant devices now:

vethb4912077: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 169.254.0.1  netmask 255.255.255.255  broadcast 0.0.0.0
        inet6 fe80::401c:f8ff:fe52:959f  prefixlen 64  scopeid 0x20<link>
        ether 42:1c:f8:52:95:9f  txqueuelen 1000  (Ethernet)
        RX packets 22733  bytes 4089562 (3.9 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 33391  bytes 2890201 (2.7 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

vethc0dcb475: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 169.254.0.1  netmask 255.255.255.255  broadcast 0.0.0.0
        inet6 fe80::f098:aaff:fe15:c2b5  prefixlen 64  scopeid 0x20<link>
        ether f2:98:aa:15:c2:b5  txqueuelen 1000  (Ethernet)
        RX packets 21384  bytes 100737503 (96.0 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 20636  bytes 1482100 (1.4 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Whereas they were previously called

vethea2ddd10

and

veth95e57722

respectively.

So, any advice? Bonus points if you know how to solve the “two-nic” issue for container plex.

As always, thank you!

EDIT: Current UFW Rules

 To                         Action      From
     --                         ------      ----
[ 1] <redacted>                 ALLOW IN    192.168.86.0/24           
[ 2] <redacted>                 ALLOW IN    192.168.87.0/24            
[ 3] plexmediaserver            ALLOW IN    Anywhere                  
[ 4] Anywhere on lxdbr0         ALLOW FWD   Anywhere                   (out)
[ 5] Anywhere                   ALLOW FWD   Anywhere on lxdbr0        
[ 6] Anywhere on lxdbr0         ALLOW IN    Anywhere                  
[ 7] 4533 on any                ALLOW IN    Anywhere                  
[ 8] 192.168.86.0/24 on any     ALLOW FWD   Anywhere on enp42s0       
[ 9] plexmediaserver (v6)       ALLOW IN    Anywhere (v6)             
[10] Anywhere (v6) on lxdbr0    ALLOW FWD   Anywhere (v6)              (out)
[11] Anywhere (v6)              ALLOW FWD   Anywhere (v6) on lxdbr0   
[12] Anywhere (v6) on lxdbr0    ALLOW IN    Anywhere (v6)             
[13] 4533 (v6) on any           ALLOW IN    Anywhere (v6)