**My Android phone is trying to get DHCP address through WiFi connection, but fails.** Obviously, I might have messed up something in my settings because I couldn't find a complete guide which would let me do everything in one go, thus I had to combine multiple guides, but I still feel a bit new to network configuration on Linux. What I want to achieve: **- create a WiFi access point and DHCP server where all devices receive IP adresses in the same network. Internet access not required, so no routing needed - just a local network where my server acts as a switch (bridge) providing IP adresses for all devices connected to it through WiFi or Ethernet.** Here's what I have: - a Linux machine (actually, Raspberry Pi with Raspbian) with Ralink RT5370 WiFi dongle (which claims to support Access Point) and two Ethernet ports - one is RPi's built-in port and the other is Trendnet TU2-ET100 (chip AX88772) - I have installed bridge-utils and dnsmasq and everything works fine with Ethernet connections - all devices connected to RPi Ethernet ports receive their IP addresses from RPi through dnsmasq - I have installed hostapd and configured it to be open AP, for starters. I tried to use WPA, but on my Android phone that also failed with "Authentication failure", so I disabled auth. And now my Android device gets stuck while acquiring IP address and then fails. Here are my config files: /etc/default/hostapd: interface=wlan0 hw_mode=g bridge=br0 channel=1 ssid=FakeTestServer_AP auth_algs=1 wmm_enabled=0 /etc/default/hostapd: DAEMON_CONF="/etc/hostapd/hostapd.conf" /etc/network/interfaces: auto lo iface lo inet loopback auto br0 iface eth0 inet manual iface eth1 inet manual iface br0 inet static bridge_ports eth0 eth1 wlan0 bridge_stp off bridge_fd 0 bridge_waitport 0 bridge_maxwait 0 address 10.0.0.1 netmask 255.255.255.0 /etc/dnsmasq.conf: interface=br0 dhcp-range=10.0.0.2,10.0.0.254,255.255.255.0,12h Here is what ifconfig shows: br0 Link encap:Ethernet HWaddr 00:14:d1:da:c7:dc inet addr:10.0.0.1 Bcast:10.0.0.255 Mask:255.255.255.0 inet6 addr: fe80::214:d1ff:feda:c7dc/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:1343 errors:0 dropped:0 overruns:0 frame:0 TX packets:212 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:83674 (81.7 KiB) TX bytes:16750 (16.3 KiB) eth0 Link encap:Ethernet HWaddr b8:27:eb:74:1f:8c UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:5824 errors:0 dropped:0 overruns:0 frame:0 TX packets:2800 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:1448587 (1.3 MiB) TX bytes:1057796 (1.0 MiB) eth1 Link encap:Ethernet HWaddr 00:14:d1:da:c7:dc UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:5353 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:1145578 (1.0 MiB) TX bytes:414153 (404.4 KiB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:52 errors:0 dropped:0 overruns:0 frame:0 TX packets:52 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:3744 (3.6 KiB) TX bytes:3744 (3.6 KiB) mon.wlan0 Link encap:UNSPEC HWaddr 00-C1-40-95-0D-43-00-00-00-00-00-00-00-00-00-00 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:7417 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:2107086 (2.0 MiB) TX bytes:0 (0.0 B) wlan0 Link encap:Ethernet HWaddr 00:c1:40:95:0d:43 UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:182 errors:0 dropped:0 overruns:0 frame:0 TX packets:122 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:31498 (30.7 KiB) TX bytes:21682 (21.1 KiB) To make it clear, I repeat - the bridge and both Ethernet connections work fine, and there are no any errors when I run: sudo service hostapd restart sudo service dnsmasq restart sudo service networking restart At the very beginning bridge-utils failed with a message can't add wlan0 to bridge br0: Operation not supported but after I added bridge=br0 to hostapd settings, bridge-utils did not complain anymore, so I guess, wlan0 got added to the bridge but I'm not sure what's going on there. **How do I get my WiFi working in Access Point mode and be part of the same bridge as both eth0 and eth1 are?**

I've got a virtual machine running under virtualbox, and in that virtual machine I've got an LXC container I'm trying to bridge to virtualbox's NAT interface: ------------- ----------- ----------- ---------- ---------- | LXC | ---> | Host OS | ---> | Virtual | ---> | Laptop | ---> | Router | | Container | | Linxu | | Box | | | | | ------------- ----------- ----------- ---------- ---------- eth0 10.1.0.35 br0 eth0 NAT GW: 192.168.1.33 GW: gw 10.1.0.2 br0 10.1.0.5 10.1.0.2/16 192.168.1.1 gw 10.1.0.2 Ping 10.1.0.2 ping 10.1.0.2 FAIL OK I cannot ping from the LXC container to the virtualbox gateway, but I can from the Host OS. Note: running tcpdump on the host OS, I can sing pings being sent from the container to the router, and the reply from the router to the container, but tcpdump on the container shows no traffic. **LXC eth0** eth0 Link encap:Ethernet HWaddr 00:16:3e:ed:82:b8 inet addr:10.1.0.35 Bcast:10.1.255.255 Mask:255.255.0.0 inet6 addr: fe80::216:3eff:feed:82b8/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:585 errors:0 dropped:0 overruns:0 frame:0 TX packets:588 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:58003 (58.0 KB) TX bytes:56447 (56.4 KB) **Host OS:** root@ubuntuserver:/# ifconfig br0 Link encap:Ethernet HWaddr 08:00:27:ca:5f:7a inet addr:10.1.0.5 Bcast:10.1.255.255 Mask:255.255.0.0 inet6 addr: fe80::a00:27ff:feca:5f7a/64 Scope:Link UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1 RX packets:2012 errors:0 dropped:0 overruns:0 frame:0 TX packets:882 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:158794 (158.7 KB) TX bytes:139083 (139.0 KB) eth0 Link encap:Ethernet HWaddr 08:00:27:ca:5f:7a UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1 RX packets:2968 errors:0 dropped:0 overruns:0 frame:0 TX packets:2404 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:281188 (281.1 KB) TX bytes:312109 (312.1 KB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:180 errors:0 dropped:0 overruns:0 frame:0 TX packets:180 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:14376 (14.3 KB) TX bytes:14376 (14.3 KB) vethStvXMU Link encap:Ethernet HWaddr fe:9a:36:3a:84:1c inet6 addr: fe80::fc9a:36ff:fe3a:841c/64 Scope:Link UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1 RX packets:557 errors:0 dropped:0 overruns:0 frame:0 TX packets:554 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:53465 (53.4 KB) TX bytes:55003 (55.0 KB) root@ubuntuserver:/# brctl show bridge name bridge id STP enabled interfaces br0 8000.080027ca5f7a no eth0 vethStvXMU

I have a host with 4 ethernet ports. I want to assign eno1 to VM1, eno2 to VM2 and so on... eno1, eno2 , eno3 and eno4 each have static IPs. I want VM01 to have the static IP of eno2. For that purpose I setup a bridge and added eno2 to the bridge. upto this point it looks ok. After that I installed VM using cockpit. during install I let the config as default to enp1s0 (with DHCP for IPv4). After install on boot up the interface did not get IP address. I am expecting eno2 IP which shows up on bridge after eno2 was added to bridge, should show up for this interface. **on VM client** **nmcli connection status** **From KVM host: I believe the vnet0 came from VM install. relevant output below:** # ip a 1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 3: eno2: mtu 1500 qdisc mq master br2 state UP group default qlen 1000 link/ether 20:67:7c:d6:07:a5 brd ff:ff:ff:ff:ff:ff 19: br2: mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether 20:67:7c:d6:07:a5 brd ff:ff:ff:ff:ff:ff inet 123.112.147.147/26 brd 135.193.167.191 scope global noprefixroute br2 valid_lft forever preferred_lft forever 22: vnet0: mtu 1500 qdisc fq_codel master br2 state UNKNOWN group default qlen 1000 link/ether fe:54:00:e6:ef:b1 brd ff:ff:ff:ff:ff:ff inet6 fe80::fc54:ff:fee6:efb1/64 scope link valid_lft forever preferred_lft forever # bridge link show 3: eno2: mtu 1500 master br2 state forwarding priority 32 cost 100 22: vnet0: mtu 1500 master br2 state forwarding priority 32 cost 100 here is the xml portion from VM:

I'm reading "man bridge" and it says something like: bridge vlan { add | del } dev DEV vid VID [ pvid ] [ untagged ] [ self ] [ master ] What are "self" and "master" options for? man says: self the vlan is configured on the specified physical device. Required if the device is the bridge device. master the vlan is configured on the software bridge (default). Can anyone elaborate? As I understand "self" is for virtual interfaces like "br0.10" etc to let the bridge (br0) know that recived frames can be for it. Right?

I have a homelab setup like this (diagram is also available here ): One thing to note here is, my Proxmox host just has 1 NIC for ethernet cable. It has WiFi too but I decided not to use it because it won't play nicely with what I wanted to do (that's my understanding after reading dozens of articles/forums about it). So I plugged an ethernet cable from a WiFi repeater. This Proxmox host is located in different place in my home - that's why I didn't plug the ethernet directly to the home router. From my laptop, I can wirelessly SSH into the Proxmox host (192.168.1.5) just fine. I can also wirelessly access Proxmox's web UI at https://192.168.1.5:8006 just fine. What I want to do here is network segmentation between my home network and the VMs network. I know there are free router software out there like pfSense, OpenWrt and etc. But I want to take this the opportunity to build it from scratch so I can better understand how things are working together. I'm planning to run some VMs in this Proxmox host. They all should run within the VMs network I'm creating here. Some VMs may run on dynamic IP/DHCP mode and some may run on static IP mode. 99% of them will be Linux VMs. I'm good without IPv6 support in this VMs network for now. Also, using VLANs is not an option because my router doesn't support VLANs. With that said, I followed this guide to create a virtual router in Ubuntu VM. The only thing I did differently from that guide is I created a bridge (br0) and assign it a static IP (192.168.2.1/24) so it can be a router / virtual switch for my VMs network. I didn't follow the *Port Forwarding from the Internet to the LAN* and *So, about that testing...* steps because I don't need them. In other words, I followed all the steps until and including *Allowing traffic out to the Internet* step. What I see currently: - [OK] VMs can ping each other - [OK] VMs can ping internet - [Not OK] VM 1 and VM 2 can ping devices in home network e.g. laptop and router - [OK] Laptop can ping Router VM - [Not OK] Laptop can't ping VM 1 or VM 2* \* I already added a static route in my laptop by following this guide . I also tried adding a static route in the home router/gateway. FWIW, below are my configs... ip a from Proxmox host: 1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eno1: mtu 1500 qdisc pfifo_fast master vmbr0 state UP group default qlen 1000 link/ether fc:4d:d4:f3:fe:d3 brd ff:ff:ff:ff:ff:ff altname enp0s25 3: wlp2s0: mtu 1500 qdisc noop state DOWN group default qlen 1000 link/ether 28:c2:dd:a5:46:53 brd ff:ff:ff:ff:ff:ff 4: vmbr0: mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether fc:4d:d4:f3:fe:d3 brd ff:ff:ff:ff:ff:ff inet 192.168.1.5/24 scope global vmbr0 valid_lft forever preferred_lft forever inet6 fe80::fe4d:d4ff:fef3:fed3/64 scope link valid_lft forever preferred_lft forever 5: vmbr1: mtu 1500 qdisc noqueue state DOWN group default qlen 1000 link/ether 8e:7e:21:7e:f9:e1 brd ff:ff:ff:ff:ff:ff inet6 fe80::8c7e:21ff:fe7e:f9e1/64 scope link valid_lft forever preferred_lft forever 11: tap104i0: mtu 1500 qdisc pfifo_fast master vmbr0 state UNKNOWN group default qlen 1000 link/ether b6:5c:75:be:38:d5 brd ff:ff:ff:ff:ff:ff 12: vmbr2: mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether 3e:6b:04:2c:d9:e0 brd ff:ff:ff:ff:ff:ff inet6 fe80::3c6b:4ff:fe2c:d9e0/64 scope link valid_lft forever preferred_lft forever 13: tap104i1: mtu 1500 qdisc pfifo_fast master vmbr2 state UNKNOWN group default qlen 1000 link/ether 46:d9:8f:dd:ab:77 brd ff:ff:ff:ff:ff:ff 23: tap102i0: mtu 1500 qdisc pfifo_fast master vmbr2 state UNKNOWN group default qlen 1000 link/ether 46:9c:a4:fd:81:27 brd ff:ff:ff:ff:ff:ff 24: tap103i0: mtu 1500 qdisc pfifo_fast master vmbr2 state UNKNOWN group default qlen 1000 link/ether 12:90:ee:36:27:7a brd ff:ff:ff:ff:ff:ff Content of /etc/network/interfaces in Proxmox host: auto lo iface lo inet loopback iface eno1 inet manual auto vmbr0 iface vmbr0 inet static address 192.168.1.5/24 gateway 192.168.1.1 bridge-ports eno1 bridge-stp off bridge-fd 0 iface wlp2s0 inet manual auto vmbr1 iface vmbr1 inet manual bridge-ports none bridge-stp off bridge-fd 0 auto vmbr2 iface vmbr2 inet manual bridge-ports none bridge-stp off bridge-fd 0 post-up echo 1 > /proc/sys/net/ipv4/ip_forward post-up iptables -t nat -A POSTROUTING -s '192.168.2.0/24' -o vmbr0 -j MASQUERADE post-down iptables -t nat -D POSTROUTING -s '192.168.2.0/24' -o vmbr0 -j MASQUERADE Notes: - vmbr1 was from my previous experiment and not relevant/related here; none of my VMs are using vmbr1 network - The post-up and post-down lines were copied from this guide - part of my trial and error effort ip a from Router VM: 1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens18: mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 2a:06:12:a9:18:98 brd ff:ff:ff:ff:ff:ff altname enp0s18 inet 192.168.1.175/24 metric 100 brd 192.168.1.255 scope global dynamic ens18 valid_lft 4270sec preferred_lft 4270sec inet6 fe80::2806:12ff:fea9:1898/64 scope link valid_lft forever preferred_lft forever 3: ens19: mtu 1500 qdisc fq_codel master br0 state UP group default qlen 1000 link/ether ca:bc:10:17:e0:2f brd ff:ff:ff:ff:ff:ff altname enp0s19 inet6 fe80::c8bc:10ff:fe17:e02f/64 scope link valid_lft forever preferred_lft forever 4: br0: mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether da:56:23:09:09:72 brd ff:ff:ff:ff:ff:ff inet 192.168.2.1/24 brd 192.168.2.255 scope global br0 valid_lft forever preferred_lft forever inet6 fe80::d856:23ff:fe09:972/64 scope link valid_lft forever preferred_lft forever Content of /etc/network/interfaces in Router VM: auto lo iface lo inet loopback auto ens18 iface ens18 inet dhcp #auto ens19 #iface ens19 inet static # address 192.168.99.1 # netmask 255.255.255.0 IP forward config in Router VM: $ cat /etc/sysctl.conf | grep net.ipv4.ip_forward net.ipv4.ip_forward=1 Content of /etc/network/if-pre-up.d/iptables in Router VM: #!/bin/sh /sbin/iptables-restore < /etc/network/iptables Content of /etc/network/iptables in Router VM: *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] # ens18 is WAN interface # br0 is LAN interface -A POSTROUTING -o ens18 -j MASQUERADE COMMIT *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] # Service rules # basic global accept rules - ICMP, loopback, traceroute, established all accepted -A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -m state --state ESTABLISHED -j ACCEPT # enable traceroute rejections to get sent out -A INPUT -p udp -m udp --dport 33434:33523 -j REJECT --reject-with icmp-port-unreachable # DNS - accept from LAN -A INPUT -i br0 -p tcp --dport 53 -j ACCEPT -A INPUT -i br0 -p udp --dport 53 -j ACCEPT # DHCP client requests - accept from LAN -A INPUT -i br0 -p udp --dport 67:68 -j ACCEPT # SSH - accept from WAN -A INPUT -i ens18 -p tcp --dport 22 -j ACCEPT # drop all other inbound traffic -A INPUT -j DROP # Forwarding rules # forward packets along established/related connections -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # forward ICMP -A FORWARD -p icmp -j ACCEPT -A FORWARD -p icmp -s 0.0.0.0/0 -d 192.168.2.0/24 -j ACCEPT # forward from LAN (br0) to WAN (ens18) -A FORWARD -i br0 -o ens18 -j ACCEPT # drop all other forwarded traffic -A FORWARD -j DROP COMMIT Result of sudo iptables -S command in Router VM: -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -m state --state ESTABLISHED -j ACCEPT -A INPUT -p udp -m udp --dport 33434:33523 -j REJECT --reject-with icmp-port-unreachable -A INPUT -i br0 -p tcp -m tcp --dport 53 -j ACCEPT -A INPUT -i br0 -p udp -m udp --dport 53 -j ACCEPT -A INPUT -i br0 -p udp -m udp --dport 67:68 -j ACCEPT -A INPUT -i ens18 -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -j DROP -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -p icmp -j ACCEPT -A FORWARD -d 192.168.2.0/24 -p icmp -j ACCEPT -A FORWARD -i br0 -o ens18 -j ACCEPT -A FORWARD -j DROP DHCP config in /etc/dhcp/dhcpd.conf in Router VM: subnet 192.168.2.0 netmask 255.255.255.0 { range 192.168.2.100 192.168.2.199; option routers 192.168.2.1; option domain-name-servers 192.168.2.1; option broadcast-address 192.168.2.255; host ubuntu-desktop { hardware ethernet 5A:5B:74:01:69:34; fixed-address 192.168.2.2; } } Note: ubuntu-desktop is VM 1 Questions: 1. How can I block VM 1 and VM 2 from accessing devices in my home network? TCP/UDP/ICMP and everything. 2. How can I access the VM 1 and VM 2 when I'm using laptop or desktop e.g. sending ping/ICMP request (ping 192.168.2.2/ping 192.168.2.101), access Nginx process running on port 80 (curl 192.168.2.2/curl 192.168.2.101) and SSH server process running on port 22 (ssh user@192.168.2.2/ssh user@192.168.2.101) on both VMs? I did some research about this and I got into DNAT/SNAT/Masquerade topic but I'm not sure if that's what I need. If yes, what the rules should look like? I'm new to this iptables topic. I tried rules below but I still can't ping to the VM 1 and VM 2 from my laptop. iptables -I FORWARD -s 192.168.1.0/24 -d 192.168.2.0/24 -j ACCEPT iptables -I FORWARD -s 192.168.2.0/24 -d 192.168.1.0/24 -m conntrack --ctstate ESTABLISHED -j ACCEPT iptables -t nat -I POSTROUTING -s 192.168.1.0/24 -d 192.168.2.0/24 -j SNAT --to 192.168.2.1

Please note that I am using Void Linux. Here is my /etc/network/interfaces.d/br0 file:

auto br0
iface br0 inet dhcp
    bridge_ports eth0
    bridge_stp off
        bridge_waitport 0
        bridge_fd 0

However on boot I get this error:

=> Bringing up the network
Internet Systems Consortium DHCP Client 4.4.2
Copyright 2004-2020 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/ 

Cannot find device "br0"
Failed to get interface index: No such device

If you think you have received this message due to a bug rather
than a configuration issue please read the section on submitting
bugs on either our web page at www.isc.org or in the README file
before submitting a bug. These pages explain the proper
process and the information we find helpful for debugging.

exiting.
ifup: failed to bring up br0

I have confirmed that I have bridge-utils installed. I am at a loss for what the problem here is. I would appreciate help.

As explained here in my own Q&A, reconsider the following scenario. A Linux host with a two port Linux bridge and two Linux guest VMs connected to it: the first bridge's port is connected to TAP interface tap0 while the second to tap1. tap0 and tap1 are backend TAP interfaces associated to virtio-net (frontend) interfaces each exposed to a QEMU based VM (lets say VM0 and VM1). As far as I can tell, when VM0 sends a frame/packet targeted to VM1, VM0 QEMU process's userland code calls write() syscall on the fd virtio-net interface is associated to. From tap0 driver-code viewpoint, the RX path is involved (basically tap0 is receiving a packet/frame from its "logical wires"), hence for instance the kernel netif_receive_skb() function is executed in the context of VM0 QEMU's process. Furthermore the packet/frame is forwarded from the Linux bridge to the tap1 interface hence, from tap1 driver-code viewpoint, the TX path is involved (basically tap1 is transmitting a packet/frame on its "logical wires"), hence for instance the kernel net_dev_xmit() function is executed/run in the context of VM0 QEMU's process as well. Does it makes sense ? Thanks.

I've set up an archlinux inside a Oracle Virtual Box. To be able to reach the VM from the LAN I have added a bridge adapter and configured the guest system following the instructions from the Arch Linux Wiki: Network bridge | With iproute2 . I used the following commands to successfully set up the network: ip link add name lan_bridge type bridge ip link set lan_bridge up ip link enp0s8 up ip link set enp0s8 master lan_bridge systemctl start dhcpcd@lan_bridge After those steps I'm able to login into the guest via SSH. Trying to make the changes persistent using: systemctl enable dhcpcd@lan_bridge does not work, though. I'd like systemd to create the exact same setup on startup automatically. Of course I could just paste those commands into a shell script and run it at startup, but I think there should be a proper way to do so. Help is greatly appreciated.

I have a Fedora 22 laptop with a VirtualBox VM on it. All worked fine when I attached the VM to my wireless network card, but I want to attach it to my hardwired card because the wireless changes. But I cannot ping the VM from my host. Any suggestions? Here is what I've done: - Configured my hardwired nic. Set it to not be managed by Networkmanager. I have brought it up, and I can ping it. ifconfig shows: enp0s25: flags=4099 mtu 1500` inet 10.0.1.1 netmask 255.255.255.0 broadcast 10.0.1.255` ether 3c:97:0e:38:c4:9d txqueuelen 1000 (Ethernet) - Configured my VM with an IP of 10.0.1.100 - Ensured that the VM network device is enabled and attached to "Bridged Adapter", and that it is indeed the hardwired nic. I start tcpdump -i enp0s25 -n on my host. When I ping *out* from my VM- that is, i ping my host's interface using ping 10.0.1.1, I get the following on my host: 01:11:57.831609 ARP, Request who-has 10.0.1.1 tell 10.0.1.100, length 46 01:11:59.827699 ARP, Request who-has 10.0.1.1 tell 10.0.1.100, length 46 01:12:00.827591 ARP, Request who-has 10.0.1.1 tell 10.0.1.100, length 46 the VM says, "Destination host unreachable" (as you would expect when ARP does not reply). BTW, I checked with Wireshark and I have verified that the incoming arp packet is not VLAN tagged. Just to be sure. Thanks

I am trying to configure one bridge per VLAN (without VLAN filtering) with

-networkd

for easy configuration of libvirt VMs on Debian 12. This does work as expected without VLAN and it does work with VLAN with some manual help (ip link set master ...). The problem symptom is that

-networkd

does create the bridge and VLAN interfaces but does not connect them:

2: onbunten:  mtu 1500 qdisc mq master brlan state UP group default qlen 1000
    link/ether 04:92:26:b7:a9:9f brd ff:ff:ff:ff:ff:ff
4: brlan:  mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether c6:50:f5:f2:22:8c brd ff:ff:ff:ff:ff:ff
    inet 192.168.2.222/24 brd 192.168.2.255 scope global brlan
       valid_lft forever preferred_lft forever
5: brvlan2:  mtu 1500 qdisc noqueue state DOWN group default qlen 1000
    link/ether 46:ba:f7:a8:3d:d7 brd ff:ff:ff:ff:ff:ff
6: brvlan3:  mtu 1500 qdisc noqueue state DOWN group default qlen 1000
    link/ether 26:96:9b:cc:69:af brd ff:ff:ff:ff:ff:ff
7: onbunten.4@onbunten:  mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 04:92:26:b7:a9:9f brd ff:ff:ff:ff:ff:ff
8: onbunten.2@onbunten:  mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 04:92:26:b7:a9:9f brd ff:ff:ff:ff:ff:ff
9: onbunten3@onbunten:  mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 04:92:26:b7:a9:9f brd ff:ff:ff:ff:ff:ff

The

.2

/

pattern difference is intentional; for testing whether that made any difference. I have found descriptions on the Internet which seem to state that what I did is the solution. I also found the statement > This configuration is deprecated and no longer supported on this site (the answer ); unfortunately without a clear explanation what exactly is supposed to be deprecated (I did not find any such hints in the Systemd man pages). I have been running systemd-networkd in debug mode (SYSTEMD_LOG_LEVEL=debug) but among the 500 lines of logging I do not notice any which are related to the VLAN and bridge interfaces simultaneously. No error messages. # the config files ## this is what does work

==> 31-brlan.netdev  32-brvlan2.netdev  33-brvlan3.netdev  41-onbunten-vlans.network  61-brlan-onbunten.network  71-brlan.network  62-brvlan2-onbunten2.network  63-brvlan3-onbunten3.network  72-brvlan2.network  73-brvlan3.network <==
[Match]
Name=brvlan3

[Network]
DHCP=no
LinkLocalAddressing=no
Gateway=192.168.116.1
# NTP=
ConfigureWithoutCarrier=yes
IgnoreCarrierLoss=yes

[Address]
Address=192.168.116.222/24
DuplicateAddressDetection=ipv4
Scope=global

I've created two Linux network namespaces (ns1 and ns2), and inside each, I have: - A bridge (ns1-br0, ns2-br0) - A TAP device (tap0, tap1) connected to the respective bridge - Each TAP device gets an IP address like 10.0.0.2/24. The problem is: I want devices like tap0 and tap1 to access the internet, but I'm confused about how to set up routing and NAT properly. The host has internet access via eth0. How do I: - Connect the namespace's bridge to the outside world? - Use NAT or MASQUERADE correctly so that TAP devices can access the internet? - Assign default gateways?

On my Linux Ubuntu I've a Linux bridge vnet0_6. You can check the mac address of each of the two interfaces attached to bridge's ports. root@eve-ng62:~# brctl show vnet0_6 bridge name bridge id STP enabled interfaces vnet0_6 8000.7afc42bc8d20 no vunl0_4_4 vunl0_6_5 root@eve-ng62:~# root@eve-ng62:~# brctl showmacs vnet0_6 port no mac addr is local? ageing timer 2 ba:41:1d:fc:61:3a yes 0.00 2 ba:41:1d:fc:61:3a yes 0.00 1 ce:8f:3f:0e:a7:cb yes 0.00 1 ce:8f:3f:0e:a7:cb yes 0.00 root@eve-ng62:~# My question is: do bridge's ports have their *own* mac addresses ? I'm not sure whether the concept of mac address actually applies to bridge's ports themselves or only to interfaces (even virtual ones) attached to them.

I'm trying to test some software on a big endian system to ensure compatibility. My plan is to use qemu on Ubuntu 12.04 to emulate a MIPS system. So far I've been able to create the quest system successfully, but I haven't been able to network it with the host system. I can access the outside world from the guest system (e.g. wget or apt-get), but my attempts at setting up samba have failed. According to this , in QEmu 1.1 and newer the network bridge helper can set tun/tap up for you without the need for additional scripting. I'm trying to use that since I've seen different versions of the scripts. Right now qemu-system-mips -version reports the following: QEMU emulator version 1.0.50 (Debian 1.0.50-2012.03-0ubuntu2.1), Copyright (c) 2003-2008 Fabrice Bellard I've compiled from the 1.4.1 source and used the version from apt-get. Both report the same thing. I'm working under the assumption that I have version 1.1 or later despite what -version is telling me. Anyway, the next instruction was to turn on the setuid attribute for the default network helper: sudo chmod u+s /usr/local/libexec/qemu-bridge-helper Next I created a bridge.conf file in /etc/qemu/ and /usr/local/etc/qemu with -rw-r--r-- for permissions. The contents of the file are: allow br0 If I start QEmu with the following command: qemu-system-mips -M malta -kernel vmlinux-2.6.32-5-4kc-malta -hda disk.img -append "root=/dev/sda1 console=ttyS0" -nographic -net nic -net bridge,br=br0 -smb /home/uli/samba or with qemu-system-mips -M malta -kernel vmlinux-2.6.32-5-4kc-malta -hda disk.img -append "root=/dev/sda1 console=ttyS0" -nographic -netdev bridge,id=hn0 -device virtio-net-pci,netdev=hn0,id=nic1 or with qemu-system-mips -M malta -kernel vmlinux-2.6.32-5-4kc-malta -hda disk.img -append "root=/dev/sda1 console=ttyS0" -nographic -netdev tap,helper=/usr/local/libexec/qemu-bridge-helper,id=hn0 -device virtio-net-pci,netdev=hn0,id=nic1 I get the following error: failed to get mtu of bridge `br0': No such device failed to launch bridge helper qemu-system-mips: -net bridge,br=br0: Device 'bridge' could not be initialized Fair enough, I didn't create the br0 bridge. I've tried creating one with a script I don't understand, but then my quest MIPS QEmu system no longer connects to anything. It sees br0, but it doesn't get an IP address. Clearly I'm doing something wrong here: ifconfig br0 down brctl delbr br0 ifconfig eth2 0.0.0.0 promisc up brctl addbr br0 brctl setfd br0 0 brctl addif br0 eth2 echo 1 > /proc/sys/net/ipv4/conf/br0/proxy_arp echo 1 > /proc/sys/net/ipv4/conf/eth2/proxy_arp echo 1 > /proc/sys/net/ipv4/ip_forward dhclient br0 ifconfig br0 up Is there an easier way to do this? Personally, I would be fine just using the SMB server on \\10.0.2.4\qemu that's described here , but that hasn't worked for me either (115 errors when I try to mount the share, presumably because of networking trouble). **Update** Once I create the bridge, I see the following output from ifconfig on the host machine: br0 Link encap:Ethernet HWaddr XX:XX:XX:XX:XX:XX inet addr:10.2.32.101 Bcast:10.2.32.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:85 errors:0 dropped:0 overruns:0 frame:0 TX packets:51 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:8235 (8.2 KB) TX bytes:9227 (9.2 KB) eth2 Link encap:Ethernet HWaddr XX:XX:XX:XX:XX:XX UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1 RX packets:196581 errors:0 dropped:0 overruns:0 frame:0 TX packets:44205 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:139517339 (139.5 MB) TX bytes:3365206 (3.3 MB) Checking the brctl show output, I see the following: bridge name bridge id STP enabled interfaces br0 8000.XXXXXXXXXXXX no eth2 Now I start the quest system in QEmu. If I run ifconfig, I see the following: eth0 Link encap:Ethernet HWaddr XX:XX:XX:XX:XX:XX UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:536 errors:1 dropped:51 overruns:0 frame:0 TX packets:13 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:55083 (53.7 KiB) TX bytes:2862 (2.7 KiB) Interrupt:10 Base address:0x1020 And the bridge looks like this: bridge name bridge id STP enabled interfaces br0 8000.XXXXXXXXXXXX no eth2 tap0 Unfortunately with this setup, the quest system has lost the limited "user mode" networking it once had (i.e. wget and apt-get no longer work). The only IP address I see is for the bridge, so I'm not sure how the quest will appear on the network. The host still appears, at the same IP address as br0. **Update** Here is the output from iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination

I have a piece of software that requires at minimum 3 NICs on a host. The host only has 1 physical NIC. I need to create 2 virtual NICs so the software can be properly configured. These virtual NICs can't be sub interfaces to the physical NIC. They must appear to the software as entirely independent interfaces, the same as a physical NIC. The virtual NICs need to have IPs on the same network as the host and be reachable by an external machine on the same network and address space. How would I go about this? See diagram

In troubleshooting a no connectivity issue on a newly rolled out kvm host machine, I'm noticing a second bridge interface that isn't needed and may have been created previously: vnet0 [user@box]# brctl show bridge name bridge id STP enabled interfaces br0 8000.14187769b69a no em1 vnet0 virbr0 8000.5254003ada63 yes virbr0-nic [user@box]# ip route default via 111.111.111.2 dev br0 169.254.0.0/16 dev br0 scope link metric 1006 111.111.111.0/23 dev br0 proto kernel scope link src 111.111.111.44 192.168.122.0/24 dev virbr0 proto kernel scope link src src 192.168.122.1 Here is the ifcfg-br0 and em1 files respectively: [user@box ~]# cat /etc/sysconfig/network-scripts/ifcfg-br0 TYPE=Bridge BOOTPROTO=static IPV4_FAILURE_FATAL=no IPV6INIT=no NAME=br0 PREFIX=23 DEVICE=br0 ONBOOT=yes IPADDR=111.111.111.44 GATEWAY=111.111.111.2 DNS1=4.4.4.4 [user@box ~]# cat /etc/sysconfig/network-scripts/ifcfg-em1 TYPE=Ethernet NM_CONTROLLED=no NAME=em1 DEVICE=em1 ONBOOT=yes BRIDGE=br0 A sister EL7 system with fully functioning network bridge looks like this: [user@box]# brctl show bridge name bridge id STP enabled interfaces br0 8000.141877699b no em1 virbr0 8000.5254004bc0f4 yes virbr0-nic [user@box]# ip route default via 111.111.111.2 dev br0 111.111.111.0/23 dev br0 proto kernel scope link src 111.111.111.222 192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1 [user@box ~]# cat /etc/sysconfig/network-scripts/ifcfg-br0 TYPE=Bridge BOOTPROTO=static IPV4_FAILURE_FATAL=no IPV6INIT=no NAME=br0 PREFIX=23 DEVICE=br0 ONBOOT=yes IPADDR=111.111.111.222 GATEWAY=111.111.111.2 DNS1=4.4.4.4 [user@box ~]# cat /etc/sysconfig/network-scripts/ifcfg-em1 TYPE=Ethernet NM_CONTROLLED=no NAME=em1 DEVICE=em1 ONBOOT=yes BRIDGE=br0 I tried using virsh net-destroy vnet0, but am seeing failed to get network vnet0 How do I remove the rougue vnet0 interface from the first example?

First off, let me say that to me, networking is a black art, practiced by strange men in hooded cloaks, chanting strange incantations. I can 'do' **basic** networking. The background is that I have created VMs using KVM on my Ubuntu Desktop running Ubuntu Desktop 24.04 for a number of years. I have a Netplan YAML file for bridging that took me a long time to get right and that has served me well to enable the VM to talk to the internet and the host machine. This worked fine and my needs were simple. I have now created a VM on my Ubuntu Server (no GUI) and am able to configure using the VM Manager on my Ubuntu Desktop. I now want me VM to talk to the internet, and my local network physical machines, and for those machines to talk to the VM. At one point the VM would talk with everything, but not vice versa. I think I have now screwed everything up and it will not talk with anything - don't know why! My Ubuntu server is called MERLIN, with IP address 192.168.1.10. My Ubuntu Desktop is called CAMELOT, with IP address 192.168.1.11. My VM is called MORDRED (residing on MERLIN) and I want it to have a static IP adress of 192.168.1.18. MORDRED should be able to talk to CAMELOT and MERLIN. I don't think this is a big ask, is it? The Netplan YAML file on the server (MERLIN) is as follows: network: version: 2 #renderer: NetworkManager renderer: networkd ethernets: enp3s0: dhcp4: false dhcp6: false addresses: - 192.168.1.10/24 routes: - to: default via: 192.168.1.1 metric: 100 on-link: true mtu: 1500 nameservers: addresses: [8.8.8.8] bridges: br0: interfaces: [enp3s0] dhcp4: false dhcp6: false addresses: - 192.168.1.3/24 routes: - to: default via: 192.168.1.1 # metric: 100 on-link: true mtu: 1500 nameservers: addresses: [8.8.8.8] parameters: stp: true forward-delay: 4 Also in the Netplan folder on the server is an XML file as follows (not really sure what this is for, I put it there a few years ago. It worked so I left it alone): host-bridge The YAML file on the VM is as follows: network: version: 2 # renderer: NetworkManager renderer: networkd ethernets: enp1s0: dhcp4: false dhcp6: false addresses: - 192.168.1.18/24 routes: - to: default via: 192.168.1.1 metric: 100 on-link: true mtu: 1500 nameservers: addresses: [8.8.8.8, 8.8.4.4] The Virtual Network Interface in the VM Manager is set as follows: Network Source: Bridge Device... Device Name: br0 Device Model: virtio When I issue ifconfig on the server, I get the following: br0: flags=4163 mtu 1500 inet 192.168.1.3 netmask 255.255.255.0 broadcast 192.168.1.255 inet6 2a0a:ef40:60:1801:6828:2dff:fee0:ae68 prefixlen 64 scopeid 0x0 inet6 fe80::6828:2dff:fee0:ae68 prefixlen 64 scopeid 0x20 ether 6a:28:2d:e0:ae:68 txqueuelen 1000 (Ethernet) RX packets 14531 bytes 1269556 (1.2 MB) RX errors 0 dropped 216 overruns 0 frame 0 TX packets 8082 bytes 15347032 (15.3 MB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 enp3s0: flags=4163 mtu 1500 inet 192.168.1.10 netmask 255.255.255.0 broadcast 192.168.1.255 ether e0:d5:5e:d1:d2:f2 txqueuelen 1000 (Ethernet) RX packets 15694 bytes 1543343 (1.5 MB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 17907 bytes 15946048 (15.9 MB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lo: flags=73 mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10 loop txqueuelen 1000 (Local Loopback) RX packets 5238 bytes 4812865 (4.8 MB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 5238 bytes 4812865 (4.8 MB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 virbr0: flags=4099 mtu 1500 inet 192.168.122.1 netmask 255.255.255.0 broadcast 192.168.122.255 ether 52:54:00:4e:3b:6e txqueuelen 1000 (Ethernet) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 vnet0: flags=4163 mtu 1500 inet6 fe80::fc54:ff:fea6:8243 prefixlen 64 scopeid 0x20 ether fe:54:00:a6:82:43 txqueuelen 1000 (Ethernet) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 1 bytes 90 (90.0 B) TX errors 0 dropped 2927 overruns 0 carrier 0 collisions 0 I don't know where the virbr0 and vnet0 come from. Probably not important! But on the VM, I am now only getting: lo: flags=73 mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10 loop txqueuelen 1000 (Local Loopback) RX packets 12965 bytes 922705 (922.7 KB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 12965 bytes 922705 (922.7 KB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 I was getting a lot more, but with my messing about I think I have totally screwed it up and can't get back to it. The annoying thing is that I did momentarily have everything as I wanted it, and decided to reboot everything to ensure that it all persisted - it didn't, and I am now in the situation I am in at the moment. So, if there are any strange men who normally wear hooded cloaks would like to whisper some strange incantations in my directions I would VERY much appreciate it. Regards, StuartM

I'm trying to make persistent some ip links settings on ubuntu 22.04 desktop. Commands below works fine but are not persistent:

ip link add mynet-shim link eno1 type macvlan  mode bridge
ip addr add 192.168.1.223/32 dev mynet-shim
ip link set mynet-shim up
ip route add 192.168.1.192/27 dev mynet-shim

I have tried using nmcli but it seems macvlan bridge is not available. Do you have any idea or a tutorial explaining how to proceed?

I'm creating a L3-Switch that modifies packets by redirecting some of them to local app. My goal is to send them further to the same MAC as before. Short "why": zero-conf device to connect with to any ethernet network, portable, does proxying. Switch is organized as ethernet bridge (br-lan) between eth0 and eth1. It is assumed by default that gateway for br-lan clients lies through eth0. Question: Let's say that packet comes from eth1 on the way to eth0 and gets redirected to local app. After that app has output and destination IP of the original packet has changed. L3 tries to route packet to new destination, but it doesn't have any default gateways (And it shouldn't, because it's switch!). Assuming I know the MAC address of default gateway, how to I force packet to go out through eth0 to specific MAC address? Technically I'm not trying to do anything "illegal" in terms of network. I want to kick the packet out of eth0 and all I'm "missing" is destination MAC, but I can retrieve it from the original packet. I know for sure that destination IP isn't local, therefore it would be sent to default gateway anyway using it's MAC address. So it's a question of implementation. I was trying to modify destination MAC at bridge -t NAT OUTPUT by doing this: > ebtables -t nat -A OUTPUT -p ipv4 --ip-proto tcp --ip-src 192.168.1.251 -j dnat --to-dst 04:61:e7:d2:e2:09 But that didn't help. (Assuming 04:61:e7:d2:e2:09 is default gateway MAC and 192.168.1.251 is one of the clients just to test this theory) Actual implementation is on OpenWRT, so available packages might be limited. **How did I get to that problem:** More information on the local app: it's ss-redir from here, binds to 0.0.0.0:port => https://github.com/shadowsocks/shadowsocks-libev Added use cases to the [Device]: Expectation: We have 3 PC-clients connected to a regular switch. After bringing [Device] and connecting it to regular switch and reconnecting PC-clients to [Device], PC-clients gain [Result] without configuring the device. 2)From the "outside" every PC-client should be accessible for all protocols in the network, whatever they are (RDP, NetBIOS for naming resolution, file sharing, or whatever local admin decides to do). 3)They should have internet access via default gateway as always, except proxying tcp via SS for particular destination ipset (which is always through the very same gateway) Under assumption that these use cases require device not having any IP/MAC knowledge of the existing network from the start(because office users won't config anything by themselves), I'm trying to make "proxying bridge" that works like a switch, intercepting packets and sends them out to eth0(WAN) after local app redirection. The problem is the after redirection packet needs to be sent on its way. I'm investigating "auto-reconfig on the fly idea" with a MAC-snat/dnat, but stuck with the problem that packet won't go to eth0 after being generated locally even if I can specify Default Gateway MAC-addr in ebtables as destination.

I have a Linux based wireless access point. It has **eth0** interface for ethernet, **ath0** for wireless and **br-wan** as a bridge between the two. bridge name bridge id STP enabled interfaces br-wan 8000.001567000041 no eth0 ath0 **Q:** How can I add vlan tagging on the wireless side so that all the outgoing traffic will be tagged, and only incoming tagged traffic will be accepted? I'v tried creating a new vlan using **vconfig** vconfig add ath0 15 ip link set ath0.15 up I then used a computer with a traffic generator software to send frames through the Ethernet port of the access point. Using **tcpdump** -e I can see them pass through both ath0 and ath0.15, however no tagging is added whatsoever.

I'm trying to set up two network namespaces to communicate with eachother. I've set up two namespaces, ns0 and ns1 that each have a veth pair, where the non-namespaced side of the veth is linked to a bridge. I set it up like this:

ip link add veth0 type veth peer name brveth0
ip link set brveth0 up

ip link add veth1 type veth peer name brveth1
ip link set brveth1 up

ip link add br10 type bridge
ip link set br10 up

ip addr add 192.168.1.11/24 brd + dev br10

ip netns add ns0
ip netns add ns1

ip link set veth0 netns ns0
ip link set veth1 netns ns1



ip netns exec ns0    ip addr add 192.168.1.20/24 dev veth0
ip netns exec ns0    ip link set veth0 up
ip netns exec ns0    ip link set lo up

ip netns exec ns1    ip addr add 192.168.1.21/24 dev veth1
ip netns exec ns1    ip link set veth1 up
ip netns exec ns1    ip link set lo up


ip link set  brveth0 master br10
ip link set  brveth1 master br10

As expected, I can ping the interface in ns0 from ns1.

$ sudo ip netns exec ns1 ping -c 3  192.168.1.20
PING 192.168.1.20 (192.168.1.20) 56(84) bytes of data.
64 bytes from 192.168.1.20: icmp_seq=1 ttl=64 time=0.099 ms
64 bytes from 192.168.1.20: icmp_seq=2 ttl=64 time=0.189 ms

But, I can't connect the two over TCP. For example, running a server in ns0 :

$ sudo ip netns exec ns0 python3 -m http.server 8080
Serving HTTP on 0.0.0.0 port 8080 (http://0.0.0.0:8080/)  ...

I would expect to be able to curl it from ns1, but that yields an error:

$ sudo ip netns exec ns1 curl 192.168.1.20:8080
curl: (7) Failed to connect to 192.168.1.20 port 8080: No route to host

Why is this happening?