Settings when using a bridge

iptables openvpn bridge

21,182

You shouldn't need to set the ip_forward = 1 unless the interface is acting as a NAT for the other devices, which shouldn't be the case if you've set them up as a bridge.

Example

Here's my KVM server setup which has a bridge device, br0, with the physical ethernet device, eth0 + all the interfaces for the KVM guests.

$ brctl show
bridge name bridge id       STP enabled interfaces
br0     8000.bcaec123c1e2   no      eth0
                            vnet0
                            vnet1
                            vnet2
                            vnet3
                            vnet4
                            vnet5
virbr0      8000.52540003f256   yes     virbr0-nic

So what's wrong?

Based on your description it sounds like you don't have routing rules to route the packets from one interface to the other.

Host with the bridge

$ ip route show
192.168.1.0/24 dev br0  proto kernel  scope link  src 192.168.1.200 
192.168.122.0/24 dev virbr0  proto kernel  scope link  src 192.168.122.1 
169.254.0.0/16 dev br0  scope link  metric 1008 
default via 192.168.1.1 dev br0

Host with NIC that's member of bridge

$ ip route show
192.168.1.0/24 dev eth0  proto kernel  scope link  src 192.168.1.218 
169.254.0.0/16 dev eth0  scope link  metric 1002 
default via 192.168.1.1 dev eth0

However you're likely running into an issue with mixing the tap0 device and the physical ethernet device, eth0, into a bridge.

Tap devices in bridges

Given you're using a TAP device, tap0 you'll likely need to configure your firewall to allow these packets to flow back and forth over the bridge.

Now set up the Linux firewall to permit packets to flow freely over the newly created tap0 and br0 interfaces:

$ sudo iptables -A INPUT -i tap0 -j ACCEPT
$ sudo iptables -A INPUT -i br0 -j ACCEPT
$ sudo iptables -A FORWARD -i br0 -j ACCEPT

References

21,182

Xenopathic

Updated on September 18, 2022

Comments

Xenopathic over 1 year

I have a bridge set up between my physical Ethernet interface, eth0, and the virtual interface for OpenVPN, tap0. The bridge has an IP address, and the machine can be contacted on that IP address from either interface. However, I don't know what to configure to get traffic flowing across the bridge, between the interfaces.

Is net.ipv4.ip_forward = 1 necessary to set for bridging, or is it just a setting required for routing?

How should I configure the FORWARD chain in iptables? Ideally only traffic between the interfaces should be forwarded, so that the machine cannot be used as a bounce point within the network.
NYCeyes almost 7 years

@sim Super Thank You so much for this answer. I used the above iptables(1M) commands, substituting in eth0 for tap0, and it resolved my days-long issue. I posted the issue and resolution here, giving your answer credit: ask.fedoraproject.org/en/question/108894/… :)