Hetzner support should have sent a PCAP file of the offending packets. would go a lot quicker toward this problem resolution.
My advice would be to start a ‘tcpdump -i enp5s0 -w /tmp/capture.pcap‘ and let it run until the Hetzner support complains then peruse the PCAP with Wireshark for outlier packets, starting with sorting by MAC, filter out your KNOWN source MAC address, and repeat but with known source IP address(es).
For my homelab (pve-no-subscription), I find myself having to split my four Ethernet Port NIC into management IP, bridged (vmbr0) without an IP, and MACVLAN all connected to the switch.