Settings when using a bridge

I have a bridge set up between my physical Ethernet interface, eth0, and the virtual interface for OpenVPN, tap0. The bridge has an IP address, and the machine can be contacted on that IP address from either interface. However, I don’t know what to configure to get traffic flowing across the bridge, between the interfaces.

Is net.ipv4.ip_forward = 1 necessary to set for bridging, or is it just a setting required for routing?

How should I configure the FORWARD chain in iptables? Ideally only traffic between the interfaces should be forwarded, so that the machine cannot be used as a bounce point within the network.


Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.

Method 1

You shouldn’t need to set the ip_forward = 1 unless the interface is acting as a NAT for the other devices, which shouldn’t be the case if you’ve set them up as a bridge.


Here’s my KVM server setup which has a bridge device, br0, with the physical ethernet device, eth0 + all the interfaces for the KVM guests.

$ brctl show
bridge name bridge id       STP enabled interfaces
br0     8000.bcaec123c1e2   no      eth0
virbr0      8000.52540003f256   yes     virbr0-nic

So what’s wrong?

Based on your description it sounds like you don’t have routing rules to route the packets from one interface to the other.

Host with the bridge

$ ip route show dev br0  proto kernel  scope link  src dev virbr0  proto kernel  scope link  src dev br0  scope link  metric 1008 
default via dev br0

Host with NIC that’s member of bridge
$ ip route show dev eth0  proto kernel  scope link  src dev eth0  scope link  metric 1002 
default via dev eth0

However you’re likely running into an issue with mixing the tap0 device and the physical ethernet device, eth0, into a bridge.

Tap devices in bridges

Given you’re using a TAP device, tap0 you’ll likely need to configure your firewall to allow these packets to flow back and forth over the bridge.

Now set up the Linux firewall to permit packets to flow freely over the newly created tap0 and br0 interfaces:

$ sudo iptables -A INPUT -i tap0 -j ACCEPT
$ sudo iptables -A INPUT -i br0 -j ACCEPT
$ sudo iptables -A FORWARD -i br0 -j ACCEPT


All methods was sourced from or, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

0 0 votes
Article Rating
Notify of
Inline Feedbacks
View all comments