Traffic failed from external network with default securitygroup by FIP

  I create an VLAN network (10.10.10.0/24) with external, and create a floating IP by it. Then associate it to a internal Geneve network VM1. I found something confusing.

      1. If connect to VM1 from the VLAN network(10.10.10.0/24), it fail , but if connect the VLAN network from VM1 by floating ip, it works. The security group is default
       The ovn-trace shows packets is blocked by acl,just as follow
···
egress(dp="tyx-net7", inport="51cbb0", outport="b5c91a")
--------------------------------------------------------
ct_next(ct_state=est|trk /* default (use --ct to customize) */)
---------------------------------------------------------------
 4. ls_out_acl (ovn-northd.c:3638): ct.est && ct_label.blocked == 0 && (outport == @neutron_pg_drop && ip), priority 2001, uuid b1003c65
    ct_commit(ct_label=0x1/0x1);
·····

.
        If add 10.10.10.0/24 to security group ,everything goes fine. So dose this right,which could not pass by default security group?

      2. If VM1(net1) connect VM2(net2) by logical router, and all of them are associated with default security group, and every thing goes fine.

         What is the difference between the situation 1 and 2 on security group?

        If I want to change the situation 1,do you have some suggestion?