Network bridge

This article discusses how to setup a network bridge in order to connect two portions of a network together.

Introduction
A network bridge can be used to connect two independent network segments at layer 2 level (much like a network switch). Common applications include transparent proxying, transparent filtering (using iptables) and saving money on hardware as some mainboards come with two PHY interfaces. In this article,  and   will be the network interfaces used but of course they can be replaced by whatever interface names are present on a system (such as   and  ).

In order to create a bridge on Linux a special bridging device is created (brX) that contains at least two network devices as ports (e.g. ethX or pppX). As the bridge works on layer 2, no IP addresses are needed on the port devices — on a typical setup, the bridging device itself will receive the IP (e.g. via DHCP).

Installation
With older versions of netifrc, or needs for some other reasons, install the package to have access to the utilities needed to manage the bridge device:

It is recommended to configure bridges with a console connection. SSH access is likely to be lost if working on one of the ports being adding to the bridge.

Make certain the physical Ethernet interfaces in the bridge are not in as symbolic links as part of the original install:

It is always best to learn how to do things first by hand, then automate it. As this is a layer 2 connection being creating, IP addresses assigned to the physical ports are not needed. The bridged physical interfaces (enp1s0 and enp2s0 in the below example) are put into promiscuous mode, so they will not be able to receive an IP address (e.g. via dhcp). The bridge will also not function properly if static IP addresses are forced on the interfaces.

Now create a bridge with no interfaces assigned (yet):

Add the two interfaces to the bridge:

View the results:

Note that  does not get turned on unless specified.

OpenRC
First, the bridge device must be added to the file. As an example, bridge configuration with static addresses:

For dynamic address, use dhcp option:

More documentation can be found by reading, for example:

Next, create the init script by linking to  and start the interface as follows:

Finally, to make sure the bridge is automatically set up on subsequent boots add the newly generated init script to the system's default run level:

Single NIC bridge
There are cases when a bridge is needed even when only a single NIC is available on the system, such as a bridge for LXD, Podman, Xen or docker, so that containers can be easily exposed to the LAN. In such a scenario, it is possible to put a single interface in the bridge configuration:

The host machine will still have access to the network as the default route is now configured through the bridge interface. Now any containers using this bridge as the parent will be exposed to the LAN, which can be quite useful but also needs careful firewall protections as all ports are now exposed.

systemd
As of systemd 210 and up, a special service called systemd-networkd is available for network configuration. This service can handle bridge construction.

The basic procedure of creating a network configuration with systemd-networkd is creating several and  files.

First, create a bridge. With systemd-networkd this is as simple as creating a new file:

After the bridge definition is created, assign the interfaces to the bridge:

Multiple interfaces can be matched and attached to the bridge.

Notice that this bridge is still not active. Activation can be achieved by creating a definition to use the bridge.

Static
Defining a gateway is only necessary if one intends to use the physical network interface as access to another network. When using the bridge as a private network, omit it as systemd-networkd will add the bridge as a default route when the Gateway option is set.

Do remember to enable and start the systemd-networkd service.

Using network manager
An alternative way of setting up a bridge is to use net-misc/networkmanager package.

Please make sure your kernel has full support for Iptables before proceed.

Optionally install bridge management tools: RootCmd

Next enable iptables support for networkmanager:

Then create a bridge using networkmanager cli:

External resources

 * Official Linux network bridge documentation.
 * Generic Linux network bridge how-to.
 * Creating a bridge with NetworkManager.