VLAN over virtual Ethernet interfaces, like the virtual Ethernet pair likely used to provide the interface for the default pod network "/eth0", requires VLAN offload to be disabled on the "other end" of the Ethernet connection. This to ensure that the firewall receives the packets with the VLAN header in place in the raw packet data. Otherwise the VLAN information might not be picked up by the firewall. Disabling VLAN offload might require some custom scripts on the host.