LXC firewall or static route misconfiguration?

[sadpanda]

Kinda stumped:

Standard 192.x.x.x DHCP/firewall/switch network for fileserver/prox on 1Gb. Seperate 10Gbe network using dumb switch/static routes on 10.x.x.x for fileserver
BTW fileserver is baremetal OMV so no intra host netorking.
Working with jellyfin unprivileged LXC using template - up and running including gpu passthru no issues there.

I set ip on open 10Gbe port to 10.0.0.40/24, add new bridge (eth1 in lxc) and have firewalls OFF (iptables on both host and lxc all say 'accept')

lots of searching I ended up here: https://piotrkalinowski.com/note/static-routes-in-ubuntu-20-04-lxc/
created /etc/systemd/network/eth1.network.d/static.conf in lxc and in it I stabbed:

[Route]
Destination=10.0.0.0/24
GatewayOnLink=true
Gateway=10.0.0.40

which nets

#ip route show
default via 192.168.1.1 dev eth0 proto dhcp src 192.168.1.100 metric 1024
10.0.0.0/24 via 10.0.0.40 dev eth1 proto static onlink
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.100 metric 1024
192.168.1.1 dev eth0 proto dhcp scope link src 192.16.1.100 metric 1024

ping works both directions BUUUT

iperf only works with prox as client > OMV server​

iperf server shows connection from prox as 192.x.x.x but the speed is 10Gbe (clearly using eth1)​

if I disable eth0 (192.x.x.x.) in lxc, ping and iperf to 10.x.x.x stops working​

if I disable eth1, iperf works BOTH directions at 1gb​

​

iperf reporting 192.x but transferring over 10.x is interesting but much less annoying than losing ping when eth0 is disabled / the mystery inbound firewall rule.

for reference, does not seem to be an OMV side issue: iperf OMV>Mint workstation over the 10Gbe works in all conditions

​

Thanks.