Debian Linux: Configure Network Interfaces As A Bridge / Network Switch

last updated in Categories , ,

My server has five Ethernet ports and one ADSL port. How do I setup IPv4 software bridge using Debian Linux operating systems so that the rest of five ports act as a network switch?

You need to use brctl command to bridge network connections under Debian Linux. This is useful for:


  1. Sharing your internet connections between multiple devices.
  2. Increase your ethernet jacks capacity without purchasing a dedicated network switch.
  3. Setup Debian as an access point and much more.

Install bridge-utils package

You need to install a package called bridge-utils for configuring the Linux Ethernet bridge.
# apt-get install bridge-utils
Sample outputs:

Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following NEW packages will be installed:
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 35.5 kB of archives.
After this operation, 145 kB of additional disk space will be used.
Get:1 wheezy/main bridge-utils i386 1.5-6 [35.5 kB]
Fetched 35.5 kB in 1s (21.9 kB/s)       
Selecting previously unselected package bridge-utils.
(Reading database ... 23737 files and directories currently installed.)
Unpacking bridge-utils (from .../bridge-utils_1.5-6_i386.deb) ...
Processing triggers for man-db ...
Setting up bridge-utils (1.5-6) ...


In this example below, eth0 to eth4 are acting as a switch. Edit the file /etc/network/interfaces, enter:
# cp -v /etc/network/{interfaces,interfaces.bak}
# vi /etc/network/interfaces

To make your bridge configuration permanent edit this file. Append/modify as follows:

# The loopback network interface
auto lo 
iface lo inet loopback
# Eth0 to Eth5 network switch
allow-hotplug eth0
iface eth0 inet manual
   pre-up   ifconfig $IFACE up
   pre-down ifconfig $IFACE down
allow-hotplug eth1
iface eth1 inet manual
   pre-up   ifconfig $IFACE up
   pre-down ifconfig $IFACE down
allow-hotplug eth2
iface eth2 inet manual
   pre-up   ifconfig $IFACE up 
   pre-down ifconfig $IFACE down
allow-hotplug eth3
iface eth3 inet manual
   pre-up   ifconfig $IFACE up
   pre-down ifconfig $IFACE down
allow-hotplug eth4
iface eth4 inet manual
   pre-up   ifconfig $IFACE up
   pre-down ifconfig $IFACE down
# Setup an IP address for our bridge 
auto br0
iface br0 inet static
  bridge_ports eth0 eth1 eth2 eth3 eth4

Save and close the file.

Restart the networking service

To stop current network configuration, enter:
# service networking stop
Sample outputs:

Deconfiguring network interfaces...done.

To activate br0 network interface, enter:
# service networking start
Sample outputs:

Configuring network interfaces...
Waiting for br0 to get ready (MAXWAIT is 32 seconds).

Verify br0 configuration

Type the following command:
# ip addr show
Sample outputs:

1: lo:  mtu 16436 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet scope host lo
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0:  mtu 1500 qdisc pfifo_fast master br0 state UP qlen 1000
    link/ether 00:00:24:cf:69:68 brd ff:ff:ff:ff:ff:ff
3: eth1:  mtu 1500 qdisc pfifo_fast master br0 state UNKNOWN qlen 1000
    link/ether 00:05:b4:09:ee:9c brd ff:ff:ff:ff:ff:ff
4: eth2:  mtu 1500 qdisc pfifo_fast master br0 state DOWN qlen 1000
    link/ether 00:00:24:cf:69:69 brd ff:ff:ff:ff:ff:ff
5: eth3:  mtu 1500 qdisc pfifo_fast master br0 state DOWN qlen 1000
    link/ether 00:00:24:cf:69:6a brd ff:ff:ff:ff:ff:ff
6: eth4:  mtu 1500 qdisc pfifo_fast master br0 state DOWN qlen 1000
    link/ether 00:00:24:cf:69:6b brd ff:ff:ff:ff:ff:ff
7: wlan0:  mtu 1500 qdisc noop state DOWN qlen 1000
    link/ether 00:1d:73:bc:e4:6e brd ff:ff:ff:ff:ff:ff
8: br0:  mtu 1500 qdisc noqueue state UP 
    link/ether 00:00:24:cf:69:68 brd ff:ff:ff:ff:ff:ff
    inet brd scope global br0
    inet6 fe80::200:24ff:fecf:6968/64 scope link 
       valid_lft forever preferred_lft forever

You can use the following brctl command to see all current instances of the ethernet bridge:
# brctl show
Sample outputs:

bridge name	bridge id		STP enabled	interfaces
br0		8000.000024cf6968	no		eth0

How do I show a list of mac address?

# brctl showmacs br0

How can I see bridge stp information?

# brctl showstp br0

Other options

To see all other supported options type the following command
$ man brctl
$ brctl --help
Sample outputs:

Usage: brctl [commands]
	addbr     			add bridge
	delbr     			delete bridge
	addif     	 	add interface to bridge
	delif     	 	delete interface from bridge
	hairpin   	  {on|off}	turn hairpin on/off

A note about DHCPD server

You may want to setup DHCPD server to allow clients such as desktop, laptop, and mobile devices to request and obtain an IP address and many other parameters from a server / switch itself. See how to setup an ISC DHCP Server for your network for more information.

A note about Iptables

The data flows through all interfaces, so you only need to filter on one interface. Turn on packet forwarding using Linux kernel and iptables (NAT). Assuming that eth6 or ppp0 is the connection to the Internet. First, turn on IP forwarding in the kernel:
# sysctl -w net.ipv4.ip_forward=1
Next, use the following command:
/sbin/iptables -t nat -A POSTROUTING -o eth6 -j MASQUERADE
### ppp0 ###
/sbin/iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

OR setup an IP forwarding and masquerading (NAT):
/sbin/iptables --table nat --append POSTROUTING --out-interface eth6 -j MASQUERADE
/sbin/iptables --append FORWARD --in-interface br0 -j ACCEPT

Feel free to modify rules as per your setup. See iptables man page or the following tutorials for more information:

  1. Debian / Ubuntu Linux: Install and Configure Shoreline Firewall (Shorewall)
  2. Linux: 20 Iptables Examples For New SysAdmins
See also

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.


9 comment

  1. we could write shorter this line:

    # cp -v /etc/network/{interfaces,interfaces.bak}

    # cp -v /etc/network/interfaces{,.bak}

  2. Using Backtrack 5R3 which is ubuntu based, can i bridge wlan0 and eth0? I want to be able to run a router connected to eth0 that shares the internet connect that is connected to wlan0. Will this method work in this case?? If not do you know how?

  3. Hi I am trying to bridge eth1 with an openVPN tap0. The client behind eth1 gets the IP from the openVPN server, but I cannot ping anything in the subnet.
    Router 1:
    openVPN Server
    – eth0
    – openVPN tab0 Server
    – bridge eth0 with tap0
    openVPN Client (behind router 2
    – eth0
    – openVPN tap0 Client (can ping all subnets and get servers ip in browser whatismyip)
    – bridge tab0 and eth1 (br0
    Client Behind eth1
    – gets DHCP from (router 1)
    – cannot ping router 1 but can ping (br0
    – arp – a shows mac of router 1
    – No intenet traffic at all

    does anybody have an suggesstion on this?

    Thank you,

    1. Hey Andreas, old thread but if anyone else is looking, in openvpn in the server config.
      add dns server and dns

Leave a Comment