virtio model type and netfilter masquerade not being applied

Quick question for anyone in the know, I have a fairly basic setup (at least I think it is?) with an openvswitch, and the br0 port has an IP assigned in the same subnet as the VM to act as a gateway. |------ovs-------| eno2 <-- |--br0 | |--vnet0 - VM | |------------------| I would like the VM (vnet0) to use br0 as a gateway which local connectivity wise seems fine but the internet is a bit odd. I can ping for example 1.1.1.1 dns without any issues but anying udp/tcp is a no go. I checked the physical hosts interface(eno2) and br0 to find that the VM's packets were successfully heading to br0 but when leaving the physical host(eno2) the tcp/udp packets weren't being masqueraded. The rule is pretty straightforward and to test I plugged another device into the eno1 afxdp port and had no connectivity issues and packets were being masqueraded fine. I tried to set trustGuestRxFilters='yes' but that didn't work and the same state remained, the only thing that worked was using the "rtl8139" model type. I always remember using 'virtio' in the past and I must be missing something crucial in the somewhat lengthy libvirt documentation. Would be super helpful if someone can shed some light on this ? and possibly if I should be using virtio or the realtek driver ? Thanks ! (config below) Iptables: sudo iptables -t nat -A POSTROUTING -o eno2 -j MASQUERADE ovs-vsctl show ec13c3e2-6159-4019-984e-36cc90c59075 Bridge br0 fail_mode: standalone datapath_type: netdev Port vnet0 Interface vnet0 Port eno1 Interface eno1 type: afxdp Port br0 Interface br0 type: internal instance domain xml <interface type='bridge'> <mac address='52:54:00:77:fc:70'/> <source bridge='br0'/> <virtualport type='openvswitch'> <parameters interfaceid='2124ef39-e244-434c-8339-d2aa04d0d888'/> </virtualport> <model type='virtio'/> #rtl8139 works. <address type='pci' domain='0x0000' bus='0x02' slot='0x01' function='0x0'/> </interface>