firewall ignored by NAT fix from wiki

[statisticsurcharges]

I've read the wiki and many threads on this, however either my internet (ping 1.1.1.1) doesn't work in the LXC container, or it works ignoring all firewall rules. (ping works ignoring even a full drop of everything on all levels)

- I have activated the firewall everywhere (incl. in the network-hardware of the container)
- I can ping 10.10.10.1 from the container
- I've tried to replace my network interface in the postrouting rule to vmbr0
- I rebooted plenty times throughout all these attempts to clear out states

I've assigned the following security group to datacenter,host and container:
out - accept - destination: 1.1.1.1
in - accept - source: 1.1.1.1
in - accept - macro: Ping
in - accept - tcp: 8006

I've also tried to assign them manually instead of using a security group, didn't fix it either.

here's my current network file:

auto lo
iface lo inet loopback

iface ens18 inet manual

auto vmbr0
iface vmbr0 inet static
        address xxx/24
        gateway xxx.1
        bridge-ports ens18
        bridge-stp off
        bridge-fd 0
        post-up   echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up   iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o ens18 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '10.10.10.0/24' -o ens18 -j MASQUERADE
        post-up   iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1
        post-down iptables -t raw -D PREROUTING -i fwbr+ -j CT --zone 1


auto vmbr1
iface vmbr1 inet static
        address 10.10.10.1/24
        bridge-ports none
        bridge-stp off
        bridge-fd 0

Thanks!