diff --git a/network-go/firewall/firewall.go b/network-go/firewall/firewall.go
index 2155529..a29831e 100644
--- a/network-go/firewall/firewall.go
+++ b/network-go/firewall/firewall.go
@@ -38,10 +38,11 @@ func (o *Orchestrator) ReconcileAll(ctx context.Context, cfg *config.NetworksCon
 	// Update resolver with latest config
 	o.resolver.SetConfig(cfg)
 
-	// Step 0: Enable IP forwarding
-	log.Println("FIREWALL: enabling IP forwarding")
+	// Step 0: Enable IP forwarding (may fail in containers with read-only fs)
 	if err := o.iptablesMgr.EnsureIPForward(); err != nil {
-		log.Printf("FIREWALL: ERROR enabling ip_forward: %v", err)
+		log.Printf("FIREWALL: WARNING could not enable ip_forward: %v", err)
+	} else {
+		log.Println("FIREWALL: IP forwarding enabled")
 	}
 
 	// Step 1: Ensure all defined networks exist
diff --git a/network-go/iptables/iptables.go b/network-go/iptables/iptables.go
index e69692f..ad8fa77 100644
--- a/network-go/iptables/iptables.go
+++ b/network-go/iptables/iptables.go
@@ -91,7 +91,9 @@ func (m *Manager) runInContainer(pid int, table string, args ...string) error {
 	return nil
 }
 
-// EnsureIPForward enables IP forwarding on the host
+// EnsureIPForward enables IP forwarding on the host.
+// Logs a warning if it fails (e.g. read-only filesystem in a container),
+// since this should be configured at the host level.
 func (m *Manager) EnsureIPForward() error {
 	cmd := exec.Command("sh", "-c", "echo 1 > /proc/sys/net/ipv4/ip_forward")
 	output, err := cmd.CombinedOutput()