Debian

How to get internet inside an OpenVZ container?

OS Debian GNU/Linux 7.6 (wheezy).
Unfortunately, I can't get internet inside the container when using veth.
If I use venet then everything works well.
Now a little about how the network is arranged.
vlan9 - ISP
vlan10 - network between router and L2+
switch vlan11 - network from PC.
There is an L2 + switch to which the Internet comes via vlan9.
Vlan 10 is the network up to the router that makes NAT vlan9 a normal masquerade -A POSTROUTING -o bond0.9 -j MASQUERADE .
The router has done interface aggregation (LACP) from the L2 + switch according to the 802.3ad standard.
vlan11 is a regular mesh, the L2+ switch handles routing for it.
Router config.

#bonding
auto bond0
iface bond0 inet manual
bond-mode 802.3ad
bond-miimon 100
bond-downdelay 200
bond-updelay 200
bond-lacp-rate 4
bond-slaves eth0 eth1
#vlan 9
auto bond0.9
iface bond0.9 inet dhcp
hwaddress ether 00:00:0C:97:BA:B8
vlan_raw_device bond0
#vlan 10
auto bond0.10
iface bond0.10 inet static
address 10.14.248.1
netmask 255.255.255.252
up route add -net 10.14.249.0/24 gw 10.14.248.2
down route del -net 10.14.249.0/24 gw 10.14.248.2
vlan_raw_device bond0
#vlan 11
auto bond0.11
iface bond0.11 inet manual
vlan_raw_device bond0
#bridge vlan11 for VM
auto vmbrd0v11
iface vmbrd0v11 inet manual
bridge_ports bond0.11
bridge_stp on
bridge_fd 0

Routing
10.14.248.0/30 dev bond0.10 proto kernel scope link src 10.14.248.1
xxx.xxx.xxx.128/25 dev bond0.9 proto kernel scope link src xxx.xxx.xxx.236
10.14.249.0/24 via 10.14 .248.2 dev bond0.10
default via xxx.xxx.xxx.129 dev bond0.9
L2 switch has ip 10.14.248.2
The problem is this. I am raising a container with a virtual machine on the router, which will be part of the vlan11 network. To do this, I raised vlan11 (bond0.11) and bridge (vmbrd0v11) on the router.
I give the network to the container like this vzctl set CTID --netif_add eth0,,,,vmbrd0v11 --save
veth1234.0 added to the vmbrd0v11 bridge

bridge name bridge id STP enabled interfaces
vmbrd0v11 8000.0018518d937b yes bond0.11
veth1234.0

Container receives via DHCP
eth0: mtu 1500 qdisc noqueue state UNKNOWN
link/ether 00:18:51:ed:5c:10 brd ff:ff:ff:ff:ff:ff
inet 10.14.249.111/24 brd 10.14.249.255 scope global eth0
inet6 fe80::218:51ff:feed:5c10/64 scope link
valid_lft forever preferred_lft forever
routing
10.14.249.0/24 dev eth0 proto kernel scope link src 10.14.249.111
default via 10.14.249.1 dev eth0
As a result, the container sees the entire network, but cannot access the internet.
Pings hit interface bond0.9
IP (tos 0x0, ttl 62, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
10.14.249.111 > 8.8.8.8: ICMP echo request, id 2001, seq 1, length 64
but do not reach (looked at my remote servers)
sysctl added
net.ipv4.ip_forward = 1
net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.all.forwarding = 1
net.ipv4.conf.default.proxy_arp = 0
# Enables source route verification
net.ipv4.conf.all.rp_filter = 1
# Enables the magic-sysrq key
kernel.sysrq = 1
# We do not want all our interfaces to send redirects
net.ipv4.conf.default.send_redirects = 1
net.ipv4.conf.all.send_redirects = 0
Honestly, I have no idea where to dig and what to touch.