You need a VM on the LAN, not behind NAT
You installed Fedora and fired up Virtual Machine Manager to run a guest OS. You want that guest to get an IP address from your router, just like your laptop. You tried creating a bridge, but now your host lost internet access, or the VM can't ping anything. NetworkManager manages bridges differently than old-school scripts, and a misstep here drops your connection instantly.
A botched bridge config can lock you out of SSH. Run these commands from a local terminal or keep a backup SSH session open in another window. If you lose connectivity, you can revert the changes from the backup session.
What's actually happening
A network bridge merges two network segments into one. Think of it like a plumbing T-joint. Your physical network cable flows into the bridge, and the virtual machine's virtual cable flows into the other side. To the router, the bridge looks like a single device with multiple MAC addresses. The host OS doesn't route traffic between the VM and the LAN; the bridge just passes frames through.
This is different from NAT, where the host acts as a gateway and translates addresses. NAT hides the VM behind the host's IP. A bridge gives the VM a direct presence on the network. The VM gets its own IP from the DHCP server, and other devices on the LAN can reach it directly.
When you create a bridge, the physical network interface stops holding the IP address. The bridge interface takes over. The physical NIC becomes a "dumb" wire that just forwards packets to the bridge. This shift is where most confusion happens. If you don't move the IP configuration to the bridge, the host loses its network identity.
Create the bridge with nmcli
NetworkManager is the default network manager on Fedora. Use nmcli to configure bridges. Don't use ifup, brctl, or manual edits to /etc/sysconfig/network-scripts. Those tools fight NetworkManager and cause drift. Config files live in /etc/NetworkManager/. Never edit files in /usr/lib/.
Here's how to create the bridge connection and attach the physical interface. Replace enp3s0 with your actual interface name. Run ip link show to find the name of your active Ethernet or Wi-Fi interface.
# Create the bridge connection named br0.
# The ifname matches the con-name for simplicity.
sudo nmcli connection add type bridge ifname br0 con-name br0
# Configure the bridge to get an IP via DHCP.
# Without this, the bridge comes up with no IP and you lose connectivity immediately.
sudo nmcli connection modify br0 ipv4.method auto
# Attach the physical NIC to the bridge as a slave.
# The slave connection must not have an IP address configured.
# NetworkManager handles the IP on the bridge, not the slave.
sudo nmcli connection add type ethernet ifname enp3s0 master br0 con-name br0-slave
# Bring the connections up. Order matters: bridge first, then slave.
# If the slave comes up first, it may grab the IP before the bridge is ready.
sudo nmcli connection up br0
sudo nmcli connection up br0-slave
Reboot the host after bridge changes. NetworkManager sometimes caches stale state that only a restart clears.
Migrate static IP settings
If your host uses a static IP address, you must migrate those settings to the bridge connection. The bridge needs the same IP, gateway, and DNS settings that the physical interface had before.
Here's how to apply static IP configuration to the bridge. Replace the values with your actual network details.
# Set the bridge to manual IP configuration.
sudo nmcli connection modify br0 ipv4.method manual
# Assign the static IP address and subnet mask.
# Replace 192.168.1.50/24 with your host's IP and CIDR prefix.
sudo nmcli connection modify br0 ipv4.addresses 192.168.1.50/24
# Set the default gateway.
# Replace 192.168.1.1 with your router's IP address.
sudo nmcli connection modify br0 ipv4.gateway 192.168.1.1
# Configure DNS servers.
# Replace 8.8.8.8 with your preferred DNS resolver.
sudo nmcli connection modify br0 ipv4.dns 8.8.8.8
# Reactivate the bridge to apply the new configuration.
sudo nmcli connection up br0
Run nmcli connection show br0 to verify the settings. The output should list the IP address, gateway, and DNS under the IPv4 settings section.
Configure firewall for the bridge
Firewalld zones control traffic filtering. If the bridge is in the public zone, firewalld might block traffic between the VM and the LAN. For a bridge acting as a pass-through, assign the bridge to the trusted zone.
Here's how to assign the bridge to the trusted zone. This allows all traffic on the bridge without filtering.
# Add the bridge to the trusted zone permanently.
# Trusted zones allow all traffic, which is standard for bridges.
sudo firewall-cmd --permanent --zone=trusted --add-interface=br0
# Reload the firewall to apply changes.
# Runtime config and persistent config diverge without this step.
sudo firewall-cmd --reload
Check firewall-cmd --get-active-zones to confirm the bridge is in the trusted zone. The output should list br0 under the trusted zone.
Verify connectivity
After the bridge comes up, the physical NIC no longer holds the IP address. The bridge interface does. Verify the IP moved and the bridge is forwarding traffic.
Here's how to check the bridge state and test connectivity.
# Check that br0 has the IP address and state is UP.
# Look for the inet line with your IP address.
ip addr show br0
# Confirm the physical interface is enslaved to the bridge.
# The output should show enp3s0 as a slave of br0.
bridge link show
# Ping the default gateway to confirm host connectivity survived the bridge setup.
ping -c 4 $(ip route | grep default | awk '{print $3}')
If the bridge shows state DOWN, check journalctl -xeu NetworkManager. The logs usually point to a typo in the interface name or a conflict with an existing connection.
Common pitfalls and error messages
Error: Connection activation failed: Device not managed by NetworkManager.
This error appears when NetworkManager isn't controlling the interface. Check nmcli device status. If the device shows unmanaged, edit /etc/NetworkManager/NetworkManager.conf and ensure managed=true is set. Restart NetworkManager with sudo systemctl restart NetworkManager.
Error: Connection activation failed: No suitable device found for connection 'br0-slave'.
This error means the interface name in the slave connection doesn't match any available device. Run ip link show to verify the interface name. Interface names can change between boots if you use predictable names incorrectly. Update the slave connection with the correct name: sudo nmcli connection modify br0-slave 802-3-ethernet.device enp3s0.
Host loses internet after bridge creation.
This happens when the IP configuration stays on the physical interface instead of moving to the bridge. The bridge comes up with no IP, and the physical interface loses its IP when it becomes a slave. Migrate the IP settings to the bridge as shown in the static IP section. If you used DHCP, ensure ipv4.method auto is set on the bridge.
VM can't reach the network.
Check the firewall zone. If the bridge is in public, firewalld might be blocking traffic. Move the bridge to trusted. Also check SELinux. SELinux denials show up in journalctl -t setroubleshoot with a one-line summary. Read those before disabling SELinux. Bridges usually work fine with SELinux enforcing, but custom scripts might trigger denials.
Packet drops or routing issues inside the VM.
Some advanced setups require disabling bridge netfilter. If your VM runs a router or you see packet drops, the kernel might be inspecting bridge traffic with iptables rules that don't apply to bridged frames.
Here's how to disable bridge netfilter if you experience packet drops.
# Disable netfilter for bridge traffic temporarily.
# This stops iptables from inspecting frames passing through the bridge.
sudo sysctl -w net.bridge.bridge-nf-call-iptables=0
# Make the change persistent across reboots.
# Create a new sysctl config file in /etc/sysctl.d/.
echo "net.bridge.bridge-nf-call-iptables=0" | sudo tee /etc/sysctl.d/99-bridge.conf
# Apply the persistent configuration immediately.
sudo sysctl -p /etc/sysctl.d/99-bridge.conf
Use this sysctl change only when necessary. Disabling netfilter reduces visibility into bridge traffic for firewall rules.
When to use a bridge
Use a network bridge when you need the VM to appear as a separate device on your LAN with its own IP address. Use NAT when you only need the VM to access the internet and don't care about LAN visibility. Use a macvlan when you want the VM to have a direct MAC address on the physical interface without a bridge abstraction, useful for some DHCP quirks. Use a routed interface when the VM needs to be on a different subnet and you want the host to act as a router.
Trust nmcli. Manual edits to connection files drift and break during upgrades. NetworkManager handles the lifecycle of bridges, slaves, and IP addresses automatically when configured through the CLI.