Bridging Network Devices with Multiple IPs

I have a small server with a single NIC that I am trying to get a bridge functioning on so that I can run KVM. On this NIC I have a couple IPs statically assigned to it:

eth0 = 192.168.1.1
eth0:1 = 192.168.1.2
eth0:2 = 192.168.1.3
eth0:3 -> Assign the bridge to this

I am attempting to set up a bridge using the following instructions:

sudo brctl addbr br0
sudo brctl addif br0 eth0:3
sudo ifconfig br0 192.168.1.120 netmask 255.255.255.0 up
sudo route add -net 192.168.1.0 netmask 255.255.255.0 br0
sudo route add default gw 192.168.1.1 br0
sudo tunctl -b -u root -t tap0 > /dev/null
sudo ifconfig tap0 up
sudo brctl addif br0 tap0

However, when I do the second command:

sudo brctl addif br0 eth0:3

It puts the ENTIRE eth0 device into promiscuous mode. This knocks the server offline and inaccessible by anything other than locally.

Is there a way to bridge JUST eth0:3 to br0 and not put the entire device into promiscuous mode?


The short answer is, as far as I know, NO.

The long answer: A bridge is a layer 2 device. Think of it as a virtual Switch. To bridge between a network card and an internal device you need to take all data that comes in on the network card and put it on the bridge (minus layer 2 filtering, such as .1q vlans). Let me draw a picture to explain:

This is how you want it to work (a routing scenario):

<vif> ---- <br0> --- <eth0:3> ---- <peth0> --- <internet>

But in reality the virtual bridge always bridges on layer 2:

<br0> --- <peth0>-------<internet>
  |          |
<vif0>    <eth0>
          <eth0:2>

Here peth0 is your physical device, while eth0 is the logical device (with address and such).

To get the scenario you want you will have to use routing instead of bridges. The reason that peth0 is put in promiscious mode is because it could otherwise filter out data headed to devices on the bridge. It doesn't know what the devices on the bridge might listen to.


Nope, I'm pretty sure it won't work that way. You'll need to put the entire eth0 device into the bridge and add subinterfaces to the bridge interface instead, such as br0:1 etc.

Is there any reason that you're trying to avoid having the additional IPs bound on the br0 interface?