Virtual router has redundant interface and does not work

When creating an isolated network the virtual router created by Cloustack has 4 network interfaces instead of the expected 3 (the Cloudstack UI reports 3 interfaces). eth2 (the third iface) is unconfigured, however, it is set-up for masquarading. eth3 has an IP on our public network but is missing the required masquarading rules in iptables. The consequence is that the router does not work as expected and we cannot access the internet from within our VMs.

We are using CloudStack 4.9.2. We have configured advanced networking without security groups and have configured three physical network interfaces: br_mana for management traffic, br_publ for public traffic and br_priv for guest traffic. All use VLAN as isolation method. It's a fresh install and there's only this one isolated network.

root@host:~# cat /etc/cloudstack/agent/agent.properties
#Storage
#Mon Mar 20 22:55:00 CET 2017
guest.network.device=br_priv
workers=5
private.network.device=br_mana
port=8250
resource=com.cloud.hypervisor.kvm.resource.LibvirtComputingResource
guest.cpu.mode=host-model
pod=1
zone=1
hypervisor.type=kvm
guid=b7e54aef-b9fb-302f-91a4-533984fda160
public.network.device=br_publ
cluster=1
local.storage.uuid=0e710ec6-4ac9-4e2a-b700-58c83575776d
domr.scripts.dir=scripts/network/domr/kvm
LibvirtComputingResource.id=1
host=yyy.yyy.64.183

root@host:~# brctl show
bridge name bridge id STP enabled interfaces
br_mana 8000.e0071bf32744 no eth0
vnet1
vnet4
br_priv 8000.e0071bf32747 no eth3
br_publ 8000.000000000000 no eth1
breth1-257 8000.e0071bf32745 no eth1.257
vnet2
vnet5
vnet8
vnet9
breth3-1370 8000.e0071bf32747 no eth3.1370
vnet10
vnet6
cloud0 8000.fe00a9fe028f no vnet0
vnet3
vnet7
virbr0 8000.000000000000 yes

root@host:~# virsh
virsh # list
Id Name State
----------------------------------------------------
2 v-1-VM running
3 s-2-VM running
6 r-6-VM running
7 i-2-5-VM running

virsh # virsh domiflist 6
Interface Type Source Model MAC
-------------------------------------------------------
vnet6 bridge breth3-1370 virtio 02:00:5a:af:00:02
vnet7 bridge cloud0 virtio 0e:00:a9:fe:02:bd
vnet8 bridge breth1-257 virtio 06:de:1a:00:00:0c
vnet9 bridge breth1-257 virtio 06:48:74:00:00:0c

root@r-6-VM:~# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 02:00:5a:af:00:02 brd ff:ff:ff:ff:ff:ff
inet 10.1.1.1/24 brd 10.1.1.255 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 0e:00:a9:fe:02:bd brd ff:ff:ff:ff:ff:ff
inet 169.254.2.189/16 brd 169.254.255.255 scope global eth1
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 06:de:1a:00:00:0c brd ff:ff:ff:ff:ff:ff
5: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 06:48:74:00:00:0c brd ff:ff:ff:ff:ff:ff
inet xxx.xxx.64.164/27 brd xxx.xxx.64.191 scope global eth3

root@r-6-VM:~# ip route
default via xxx.xxx.64.161 dev eth3
10.1.1.0/24 dev eth0 proto kernel scope link src 10.1.1.1
xxx.xxx.64.160/27 dev eth3 proto kernel scope link src xxx.xxx.64.164
169.254.0.0/16 dev eth1 proto kernel scope link src 169.254.2.189

root@r-6-VM:~# cat /etc/network/interfaces
auto lo eth0 eth1 eth2
iface lo inet loopback

iface eth0 inet static
address 10.1.1.1
netmask 255.255.255.0
iface eth1 inet static
address 169.254.2.189
netmask 255.255.0.0
iface eth2 inet static
address xxx.xxx.64.164
netmask 255.255.255.224

root@r-6-VM:~# iptables -t nat -L -v
...
Chain POSTROUTING (policy ACCEPT 35 packets, 2676 bytes)
pkts bytes target prot opt in out source destination
4 304 SNAT all – any eth2 anywhere anywhere to:xxx.xxx.64.164

eth2 and eth3 are also mentioned a couple of times in iptables -L -v