Linux bridge not answering arp packets

I'm trying to setup a test scenario regarding linux bridges for which I need a full virtual IP stack. Basically, I'd like to simulate the network between a VM (or container) and its host, just without a VM, i.e. virtualization layer.

The host side is a bridge (br0) with a configured IP address (the default gw of the simulated VM) as seen in other, working KVM setups. I've tried to simulate the VM-side of the connection as follows:

• using a tap interface (OpenVPN connection to another server, pinging from there)
• a veth pair with one end configured with an IP address and the other attached to the bridge
• a secondary bridge with an IP address connected to the primary bridge via veth pair

In none of these setups I was able to ping the host bridge (the VMs default gw). In all setups the problem was the same: the bridge interface didn't respond to ARP packets.

configuration (local veth):

    +-----+
    | br0 |
    |     | +------+    +------+
    |     ==| vip1 |<-->| vip2 |
    +-----| +------+    +------+

    br0:  type=bridge, UP, 172.16.1.1/24
    vip1: type=veth, UP
    vip2: type=veth peer, UP, 172.16.1.2/24

    # brctl addbr br0
    # ifconfig br0 172.16.1.1 netmask 255.255.255.0 up
    # ip link add vip1 type veth peer name vip2
    # ifconfig vip2 172.16.1.2 netmask 255.255.255.0 up
    # brctl addif br0 vip1
    # ifconfig vip1 up

Now I'm trying to ping the br0 from vip2:

    # [root@host ~]# ping -I vip2 172.16.1.1
    # PING 172.16.1.1 (172.16.1.1) from 172.16.1.2 vip2: 56(84) bytes of data.
    # ^C
    # --- 172.16.1.1 ping statistics ---
    # 2 packets transmitted, 0 received, 100% packet loss, time 1493ms

tcpdump on the bridge:

    # [root@host ~]# tcpdump -i br0
    # tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    # listening on br0, link-type EN10MB (Ethernet), capture size 65535 bytes
    # 23:14:02.367624 ARP, Request who-has 172.16.1.1 tell 172.16.1.2, length 28
    # 23:14:03.367657 ARP, Request who-has 172.16.1.1 tell 172.16.1.2, length 28
    # 23:14:04.367345 ARP, Request who-has 172.16.1.1 tell 172.16.1.2, length 28
    # ...

Which is rather strange, since the br0 interface on which these packets arrive is UP and should respond to the ARP requests.

    # [root@host ~]# ifconfig br0
    # br0       Link encap:Ethernet  HWaddr F6:F3:5A:A7:A2:5B
    #           inet addr:172.16.1.1  Bcast:172.16.1.255  Mask:255.255.255.0
    #           inet6 addr: fe80::f4f3:5aff:fea7:a25b/64 Scope:Link
    #           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
    #           RX packets:53 errors:0 dropped:0 overruns:0 frame:0
    #           TX packets:4 errors:0 dropped:0 overruns:0 carrier:0
    #           collisions:0 txqueuelen:0
    #           RX bytes:1580 (1.5 KiB)  TX bytes:360 (360.0 b)

I've tried:

• OpenVPN tap interface (ping from another host through OpenVPN so packet arrive on tap interface vs. veth interface)
• another bridge (br1), using a veth pair to connect both bridges
• setting net.ipv4.conf.all.arp_filter and others, but nothings seems to have an effect
• iptables and ebtables are empty and ACCEPT everything.

So I'm struggling to find out why this is not working an what's the difference to container or virtualization solutions. Any help is highly appreciated!

Thanks!