I’m using CRS326-26G-2S+ switches with L2 HW offloading (no L3 stuff, just switching). Works great.
But now I want to use some /bridge/filter features on some packets (specifically, ARP packets - to deny ARP spoofing).
Is it possible to do that, without disabling L2 HW offloading?
I’ve tried to do this:
/in eth sw rule add switch=switch1 ports=ether1 mac-protocol=arp redirect-to-cpu=yes
But none of the ARP packets get into /bridge/filter forward chain.
Is it possible? Maybe I’m doing something wrong?
Or do I even need /bridge/filter functionality to filter ‘source address’ field of ARP protocol ?