After update to Debian 12 - Routing problems - no internet connection for HA/Addons

[uzi18]

Describe the issue you are experiencing

Routing issues after Debian/docker/HA update.

What type of installation are you running?

Home Assistant Supervised

Which operating system are you running on?

Debian 12

Supervisor diagnostics

Core
2025.1.0
Supervisor
2024.12.3
Debian 

# cat /etc/os-release |grep Debian
PRETTY_NAME="Debian GNU/Linux 12 (bookworm)"
NAME="Debian GNU/Linux"
root@debian-ha:~# apt list --installed | grep os-agent

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

os-agent/now 1.6.0 amd64 [installed,local]
root@debian-ha:~# apt list --installed | grep supervised

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

homeassistant-supervised/now 2.0.0 all [installed,local]
root@debian-ha:~# apt list --installed | grep docker

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

docker-buildx-plugin/bookworm,now 0.19.3-1~debian.12~bookworm amd64 [installed]
docker-ce-cli/bookworm,now 5:27.4.1-1~debian.12~bookworm amd64 [installed]
docker-ce-rootless-extras/bookworm,now 5:27.4.1-1~debian.12~bookworm amd64 [installed]
docker-ce/bookworm,now 5:27.4.1-1~debian.12~bookworm amd64 [installed]
docker-compose-plugin/bookworm,now 2.32.1-1~debian.12~bookworm amd64 [installed]

Additional information

Actual state - routing broken :

root@debian-ha:~# ip -4 route
0.0.0.0 dev vethe587da2 scope link
0.0.0.0 dev veth775c0f2 scope link
0.0.0.0 dev veth0e51684 scope link
0.0.0.0 dev vethd9b7265 scope link
0.0.0.0 dev veth8a2a2e5 scope link
0.0.0.0 dev veth56a0a9e scope link
0.0.0.0 dev veth5c04df1 scope link
0.0.0.0 dev veth565d9b0 scope link
0.0.0.0 dev veth851dff1 scope link
0.0.0.0 dev vetha50be78 scope link
0.0.0.0 dev vetha3f3570 scope link
0.0.0.0 dev zthnhm35qb scope link
default dev vethe587da2 scope link
default via 192.168.1.1 dev enp1s0
8.8.8.8 via 192.168.1.1 dev enp1s0
10.147.17.0/24 dev zthnhm35qb proto kernel scope link src 10.147.17.134
169.254.0.0/16 dev zthnhm35qb proto kernel scope link src 169.254.87.125
169.254.0.0/16 dev vetha3f3570 proto kernel scope link src 169.254.72.246
169.254.0.0/16 dev vetha50be78 proto kernel scope link src 169.254.59.2
169.254.0.0/16 dev veth851dff1 proto kernel scope link src 169.254.230.246
169.254.0.0/16 dev veth565d9b0 proto kernel scope link src 169.254.253.26
169.254.0.0/16 dev veth5c04df1 proto kernel scope link src 169.254.157.244
169.254.0.0/16 dev veth56a0a9e proto kernel scope link src 169.254.254.224
169.254.0.0/16 dev veth8a2a2e5 proto kernel scope link src 169.254.206.167
169.254.0.0/16 dev vethd9b7265 proto kernel scope link src 169.254.111.160
169.254.0.0/16 dev veth0e51684 proto kernel scope link src 169.254.59.156
169.254.0.0/16 dev veth775c0f2 proto kernel scope link src 169.254.113.116
169.254.0.0/16 dev vethe587da2 proto kernel scope link src 169.254.93.96
169.254.0.0/16 dev enp1s0 scope link metric 1000
172.30.32.0/23 dev hassio proto kernel scope link src 172.30.32.1
192.168.1.0/24 dev enp1s0 proto kernel scope link src 192.168.1.136
192.168.1.1 dev enp1s0 scope link
192.168.10.0/24 dev docker0 proto kernel scope link src 192.168.10.1
root@debian-ha:~# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=116 time=14.8 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=116 time=13.4 ms
^C
--- 8.8.8.8 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 13.428/14.096/14.764/0.668 ms
root@debian-ha:~# ping wp.pl
PING wp.pl (212.77.98.9) 56(84) bytes of data.
From debian-ha.local (169.254.93.96) icmp_seq=1 Destination Host Unreachable
From debian-ha.local (169.254.93.96) icmp_seq=2 Destination Host Unreachable
From debian-ha.local (169.254.93.96) icmp_seq=3 Destination Host Unreachable
^C
--- wp.pl ping statistics ---
5 packets transmitted, 0 received, +3 errors, 100% packet loss, time 4076ms
pipe 4
root@debian-ha:~# LC_ALL=c nmcli
enp1s0: connected (externally) to enp1s0
        "Realtek RTL8111/8168/8211/8411"
        ethernet (r8169), 7C:D3:0A:12:E1:68, hw, mtu 1500
        inet4 192.168.1.136/24
        route4 default via 192.168.1.1 metric 0
        route4 8.8.8.8/32 via 192.168.1.1 metric 0
        route4 169.254.0.0/16 metric 1000
        route4 192.168.1.0/24 metric 0
        route4 192.168.1.1/32 metric 0
        inet6 fe80::7ed3:aff:fe12:e168/64
        route6 fe80::/64 metric 256

lo: connected (externally) to lo
        "lo"
        loopback (unknown), 00:00:00:00:00:00, sw, mtu 65536
        inet4 127.0.0.1/8
        inet6 ::1/128

docker0: unmanaged
        "docker0"
        bridge, 02:42:7D:AE:0B:5F, sw, mtu 1500

hassio: unmanaged
        "hassio"
        bridge, 02:42:3B:26:EF:03, sw, mtu 1500

veth0e51684: unmanaged
        "veth0e51684"
        ethernet (veth), BE:15:5C:E4:2D:1C, sw, mtu 1500

veth565d9b0: unmanaged
        "veth565d9b0"
        ethernet (veth), EE:B4:F2:AB:AB:5F, sw, mtu 1500

veth56a0a9e: unmanaged
        "veth56a0a9e"
        ethernet (veth), BE:A6:55:94:2E:BB, sw, mtu 1500

veth5c04df1: unmanaged
        "veth5c04df1"
        ethernet (veth), 3E:A6:AE:E2:F7:B3, sw, mtu 1500

veth775c0f2: unmanaged
        "veth775c0f2"
        ethernet (veth), AE:57:93:28:4A:06, sw, mtu 1500

veth851dff1: unmanaged
        "veth851dff1"
        ethernet (veth), 96:C3:0A:7E:E7:8B, sw, mtu 1500

veth8a2a2e5: unmanaged
        "veth8a2a2e5"
        ethernet (veth), 1A:C6:C1:FA:50:B7, sw, mtu 1500

vetha3f3570: unmanaged
        "vetha3f3570"
        ethernet (veth), B2:CE:30:ED:F8:A9, sw, mtu 1500

vetha50be78: unmanaged
        "vetha50be78"
        ethernet (veth), 9A:A0:13:60:6B:2B, sw, mtu 1500

vethd9b7265: unmanaged
        "vethd9b7265"
        ethernet (veth), 3E:6B:16:4D:97:9B, sw, mtu 1500

vethe587da2: unmanaged
        "vethe587da2"
        ethernet (veth), 8A:22:18:37:31:2E, sw, mtu 1500

zthnhm35qb: unmanaged
        "zthnhm35qb"
        tun, 36:59:F9:72:9F:9B, sw, mtu 2800

Use "nmcli device show" to get complete information about known devices and
"nmcli connection show" to get an overview on active connection profiles.

Consult nmcli(1) and nmcli-examples(7) manual pages for complete usage details.

supervisor restart - routing works for restarting time ():

root@debian-ha:~# docker restart hassio_supervisor
hassio_supervisor
root@debian-ha:~# ping google.com
PING google.com (142.250.203.142) 56(84) bytes of data.
64 bytes from waw07s06-in-f14.1e100.net (142.250.203.142): icmp_seq=2 ttl=116 time=13.3 ms
64 bytes from waw07s06-in-f14.1e100.net (142.250.203.142): icmp_seq=3 ttl=116 time=12.8 ms
...
64 bytes from waw07s06-in-f14.1e100.net (142.250.203.142): icmp_seq=55 ttl=116 time=12.6 ms
64 bytes from waw07s06-in-f14.1e100.net (142.250.203.142): icmp_seq=56 ttl=116 time=16.4 ms
From debian-ha.local (169.254.118.203) icmp_seq=57 Destination Host Unreachable
From debian-ha.local (169.254.118.203) icmp_seq=58 Destination Host Unreachable
From debian-ha.local (169.254.118.203) icmp_seq=59 Destination Host Unreachable
From debian-ha.local (169.254.118.203) icmp_seq=60 Destination Host Unreachable
From debian-ha.local (169.254.118.203) icmp_seq=61 Destination Host Unreachable
From debian-ha.local (169.254.118.203) icmp_seq=62 Destination Host Unreachable
From debian-ha.local (169.254.118.203) icmp_seq=63 Destination Host Unreachable
From debian-ha.local (169.254.118.203) icmp_seq=64 Destination Host Unreachable
From debian-ha.local (169.254.118.203) icmp_seq=65 Destination Host Unreachable
From debian-ha.local (169.254.118.203) icmp_seq=66 Destination Host Unreachable
From debian-ha.local (169.254.118.203) icmp_seq=67 Destination Host Unreachable
From debian-ha.local (169.254.118.203) icmp_seq=68 Destination Host Unreachable
From debian-ha.local (169.254.118.203) icmp_seq=69 Destination Host Unreachable
From debian-ha.local (169.254.118.203) icmp_seq=70 Destination Host Unreachable
^C
--- google.com ping statistics ---
71 packets transmitted, 53 received, +14 errors, 25.3521% packet loss, time 70299ms
rtt min/avg/max/mdev = 12.370/13.063/16.420/0.607 ms, pipe 4

Docker stopped - routing works as expected:

root@debian-ha:~# systemctl stop docker
Warning: Stopping docker.service, but it can still be activated by:
  docker.socket
root@debian-ha:~# ip -4 route
0.0.0.0 dev zthnhm35qb scope link
default via 192.168.1.1 dev enp1s0
default via 192.168.1.1 dev enp1s0 proto static metric 100
10.147.17.0/24 dev zthnhm35qb proto kernel scope link src 10.147.17.134
169.254.0.0/16 dev zthnhm35qb proto kernel scope link src 169.254.87.125
172.30.32.0/23 dev hassio proto kernel scope link src 172.30.32.1 linkdown
192.168.1.0/24 dev enp1s0 proto kernel scope link src 192.168.1.136 metric 100
192.168.10.0/24 dev docker0 proto kernel scope link src 192.168.10.1 linkdown
root@debian-ha:~# ping google.com
PING google.com (142.250.203.142) 56(84) bytes of data.
64 bytes from waw07s06-in-f14.1e100.net (142.250.203.142): icmp_seq=1 ttl=116 time=12.7 ms
64 bytes from waw07s06-in-f14.1e100.net (142.250.203.142): icmp_seq=2 ttl=116 time=26.6 ms
^C
--- google.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 12.687/19.630/26.574/6.943 ms

After docker start - works for a moment:

root@debian-ha:~# systemctl start docker
root@debian-ha:~# ping google.com
PING google.com (142.250.203.142) 56(84) bytes of data.
64 bytes from waw07s06-in-f14.1e100.net (142.250.203.142): icmp_seq=1 ttl=116 time=34.5 ms
64 bytes from waw07s06-in-f14.1e100.net (142.250.203.142): icmp_seq=2 ttl=116 time=13.4 ms
...
64 bytes from waw07s06-in-f14.1e100.net (142.250.203.142): icmp_seq=31 ttl=116 time=13.2 ms
64 bytes from waw07s06-in-f14.1e100.net (142.250.203.142): icmp_seq=32 ttl=116 time=13.6 ms
From debian-ha.local (169.254.101.111) icmp_seq=33 Destination Host Unreachable
From debian-ha.local (169.254.101.111) icmp_seq=34 Destination Host Unreachable
From debian-ha.local (169.254.101.111) icmp_seq=35 Destination Host Unreachable
From debian-ha.local (169.254.101.111) icmp_seq=36 Destination Host Unreachable
From debian-ha.local (169.254.101.111) icmp_seq=37 Destination Host Unreachable
From debian-ha.local (169.254.101.111) icmp_seq=38 Destination Host Unreachable
From debian-ha.local (169.254.101.111) icmp_seq=39 Destination Host Unreachable
^C
--- google.com ping statistics ---
39 packets transmitted, 32 received, +7 errors, 17.9487% packet loss, time 38148ms
rtt min/avg/max/mdev = 12.508/15.041/34.492/5.600 ms, pipe 4

root@debian-ha:~# cat /etc/docker/daemon.json
{
    "log-driver": "journald",
    "storage-driver": "overlay2",
    "ip6tables": true,
    "experimental": true,
    "log-opts": {
        "tag": "{{.Name}}"
    }
}

root@debian-ha:~# cat /etc/NetworkManager/NetworkManager.conf
[main]
dns=default
plugins=keyfile
autoconnect-retries-default=0
rc-manager=file

[keyfile]
unmanaged-devices=type:bridge;type:tun;driver:veth
#;interface-name:enp1s0

[logging]
backend=journal

[connection]
connection.mdns=2
connection.llmnr=2

[connectivity]
uri=http://checkonline.home-assistant.io/online.txt
interval=600

[device]
wifi.scan-rand-mac-address=no

root@debian-ha:~# cat /etc/NetworkManager/system-connections/Supervisor\ enp1s0.nmconnection
[connection]
id=Supervisor enp1s0
uuid=7b7eac10-7678-4a65-baad-50cfcfd1dd8e
type=ethernet
llmnr=2
mdns=2
timestamp=1736276737

[ethernet]
cloned-mac-address=preserve
mac-address=7C:D3:0A:12:E1:68

[match]
path=pci-0000:01:00.0;

[ipv4]
address1=192.168.1.136/24,192.168.1.1
method=manual

[ipv6]
addr-gen-mode=default
method=link-local

[proxy]

Don't know what to check more.
Any ideas how to resolve this problem?