SDN VNET subnet specify SNAT wan IP

[w2vy]

I am trying replicate the solution in SDN VNet subnet specify SNAT interface/IP

I am using PVE 8.1.3

My first step is to get a single subnet working and then adding a second and third...

I understand networks and routing tables but I am new to SDN

I added a zone 'zone1' then created vnet185 in that zone and added subnet 10.10.0.0/24 default 10.10.0.1

I also created a VM (ubuntu desktop) using vnet185 and set ipv4 static 10.10.0.10/24 default 10.10.0.1

I can ping 10.10.0.1 and 1.2.3.185 but not 1.2.3.1 (it's gateway) or 8.8.8.8

en01 is my LAN and enx28ee521f14ff is a USB dongle to a unmanaged switch on the WAN port (outside the firewall)

Once I get this working that switch may go away...

Any suggestions?

root@pve40:~# ip r
default via 1.2.3.1 dev vmbr1 proto kernel onlink
10.10.0.0/24 dev vnet185 proto kernel scope link src 10.10.0.1
1.2.3.0/24 dev vmbr1 proto kernel scope link src 1.2.3.185
192.168.8.0/24 dev vmbr0 proto kernel scope link src 192.168.8.40

Here are the resulting network files

/etc/network/interfaces

auto lo
iface lo inet loopback

iface eno1 inet manual

auto enx28ee521f14ff
iface enx28ee521f14ff inet manual

auto vmbr0
iface vmbr0 inet static
    address 192.168.8.40/24
    bridge-ports eno1
    bridge-stp off
    bridge-fd 0

auto vmbr1
iface vmbr1 inet static
    address 1.2.3.185/24
    gateway 1.2.3.1
    bridge-ports enx28ee521f14ff
    bridge-stp off
    bridge-fd 0

source /etc/network/interfaces.d/*

/etc/network/interfaces.d/sdn

#version:28

auto vnet185
iface vnet185
    address 10.10.0.1/24
    post-up iptables -t nat -A POSTROUTING -s '10.10.0.0/24' -o vmbr1 -j SNAT --to-source 1.2.3.185
    post-down iptables -t nat -D POSTROUTING -s '10.10.0.0/24' -o vmbr1 -j SNAT --to-source 1.2.3.185
    post-up iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1
    post-down iptables -t raw -D PREROUTING -i fwbr+ -j CT --zone 1
    bridge_ports none
    bridge_stp off
    bridge_fd 0
    ip-forward on