Am I mistaken that the host shouldn’t be configured on the WAN interface? Can I solve this by passing the pci device to the VM, and what’s the best practice here?
Passing the PCI network card / device to the VM would make things more secure as the host won’t be configured / touching the network card exposed to the WAN. Nevertheless passing the card to the VM would make things less flexible and it isn’t required.
I think there’s something wrong with your setup. One of my machines has a br0 and a setup like yours. 10-enp5s0.network is the physical “WAN” interface:
<span style="color:#323232;">root@host10:/etc/systemd/network# cat 10-enp5s0.network
</span><span style="color:#323232;">[Match]
</span><span style="color:#323232;">Name=enp5s0
</span><span style="color:#323232;">
</span><span style="color:#323232;">[Network]
</span><span style="color:#323232;">Bridge=br0 # -> note that we're just saying that enp5s0 belongs to the bridge, no IPs are assigned here.
</span>
<span style="color:#323232;">root@host10:/etc/systemd/network# cat 11-br0.network
</span><span style="color:#323232;">[Match]
</span><span style="color:#323232;">Name=br0
</span><span style="color:#323232;">
</span><span style="color:#323232;">[Network]
</span><span style="color:#323232;">DHCP=ipv4 # -> In my case I'm also requesting an IP for my host but this isn't required. If I set it to "no" it will also work.
</span>