Docker-compose network routing issue using vlan taging

Docker Engine Compose
1

I have an ubuntu 20.4 docker host version 20.10 with an interface for host mgmt access and one interface setup as a trunk port for vlan tagging. i have multiple docker networks defined using different vlan sub interfaces on the trunk interface.

I have a docker-compose file below:

version: '3'
networks:
  netqa:
    external: true
  netqagraylog:
volumes:
  mongodata:
  esdata:
  graylogjournal:
    driver: local
  graylogconfig: # ADDED
    driver: local # ADDED
services:
  mongoqa:
    image: mongo:4.4
    volumes:
      - mongodata:/data/db
    networks:
      - netqagraylog
    expose: [27017]
  elasticsearchqa:
    image: elasticsearch:7.16.1
    environment:
      - http.host=0.0.0.0
      - transport.host=localhost
      - network.host=0.0.0.0
      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
    ulimits:
      memlock:
        soft: -1
        hard: -1
    deploy:
      resources:
        limits:
          memory: 1g
    volumes:
      - esdata:/usr/share/elasticsearch/data
    networks:
      - netqagraylog
    expose: ["9200"]
  graylogqa:
    image: graylog/graylog:4.2.4
    environment:
      ...
      - GRAYLOG_HTTP_EXTERNAL_URI=http://192.168.249.23:9000/
      - GRAYLOG_ELASTICSEARCH_HOSTS=http://elasticsearchqa:9200
      - GRAYLOG_MONGODB_URI=mongodb://mongoqa:27017/graylog
    volumes:
      - "graylogjournal:/usr/share/graylog/data/journal"
      - "graylogconfig:/usr/share/graylog/data/config" # ADDED
    networks:
      netqagraylog:
      netqa:
          ipv4_address: 192.168.249.23
    depends_on:
      - mongoqa
      - elasticsearchqa
    ports:
    #  - 9001:9000
    #  - 12201:12201
    #  - 12201:12201/udp
    expose: ["9000"]
    expose: ["12201"]
    expose: ["12201/udp"]

i have the external docker network netqa defined as:

docker inspect netqa
[
    {
        "Name": "netqa",
        "Id": "2482b60cbc263787b2856b468c0db65181cfa7cd11b1cb2e38fab934cc051a95",
        "Created": "2022-01-10T21:15:34.936154788Z",
        "Scope": "local",
        "Driver": "ipvlan",
        "EnableIPv6": false,
        "IPAM": {
            "Driver": "default",
            "Options": {},
            "Config": [
                {
                    "Subnet": "192.168.249.0/24",
                    "Gateway": "192.168.249.1"
                }
            ]
        },
        "Internal": false,
        "Attachable": false,
        "Ingress": false,
        "ConfigFrom": {
            "Network": ""
        },
        "ConfigOnly": false,
        "Containers": {
            "05185659f7f95067065edb5afc46c5d0bb580895589f139225ded46fae150479": {
                "Name": "i1qagraylog_graylogqa_1",
                "EndpointID": "4b230a8fc49f6361976c47b5db2aef3dc19343c8edd3b3ce707699628c5add24",
                "MacAddress": "",
                "IPv4Address": "192.168.249.23/24",
                "IPv6Address": ""
            }
        },
        "Options": {
            "parent": "enp8s0f1.11"
        },
        "Labels": {}
    }
]

my issue is everything works as expected when on the 192.168.249.x network. However from a different subnet or vlan, udp packets go to the 192.168.249.23 and are ingested, but tcp based packets fail at the firewall as all return packets from the i1qagraylog container seem to be coming from the docker host mgmt interface and not the netqa interface (vlan tag sub-interface vlan 11). How can I force the i1qagraylog container to use the ip and network assigned to it without having outbound packets from the container go out the host interface? (if I use option -ports: 9000:9000 I can access the graylog website using the host ip. using the expose: 9000 does allow access to the graylog website but only from the another machine on the 192.168.249.x subnet)
Any ideas?