vlan+vmbr+firewall = inaccessibility of neighboring VMs on the host

[EvilBox]

Hi all!
I'm used pve-manager/6.4-13/9f411e79 (running kernel: 5.4.140-1-pve) and I have problems

When creating 3 bridges (2 vlan and 1 native) and connecting a VM to a bridge with vlan, neighboring virtual machines become unavailable. Ping passes, but any protocol, for example - http(s) does not. When accessing virtual machines to neighboring hosts of the cluster, there are no problems, everything is available. I found that disabling the firewall on the node solves the problem (pve-firewall stop). At the same time, everything is always allowed on virtual machines in the firewall.

Please tell me if I can use both vlan and firewall at the same time without breaking the availability of co-hosted virtual machines? Thanks!

cat /etc/network/interfaces

auto eno2.1
iface eno2.1 inet manual

auto vmbr2
iface vmbr2 inet manual
    bridge-ports eno2.1
    bridge-stp off
    bridge-fd 0

cat /etc/pve/nodes/pve/qemu-server/100.conf | grep net
net0: virtio=00:0c:29:72:12:12,bridge=vmbr2

ping 192.168.5.37
PING 192.168.5.37 (192.168.5.37) 56(84) bytes of data.
64 bytes from 192.168.5.37: icmp_seq=1 ttl=64 time=0.585 ms
64 bytes from 192.168.5.37: icmp_seq=2 ttl=64 time=0.610 ms

curl -vvv http://192.168.5.37
* About to connect() to 192.168.5.37 port 80 (#0)
*   Trying 192.168.5.37...
* Connected to 192.168.5.37 (192.168.5.37) port 80 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: 192.168.5.37
> Accept: */*
* Recv failure: Connection reset by peer

* Closing connection 0

expected behavior:

curl -vvv http://192.168.5.37
* About to connect() to 192.168.5.37 port 80 (#0)
*   Trying 192.168.5.37...
* Connected to 192.168.5.37 (192.168.5.37) port 80 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: 192.168.5.37
> Accept: */*
> 
* Empty reply from server
* Connection #0 to host 192.168.5.37 left intact
curl: (52) Empty reply from server