On your wireless links/hotspot are you running
arp for leases turned on?
and or authortive turned on?
Thanks
-Michael
No, and no for every hotspot we’ve ever setup. Still waiting for 2.9 to mature before migrating our hotspots from 2.8.
I dont run hotspots but from a strictly technical point of view. I would enable arp for leases. Authoritative yes, but disable default-forwarding for wireless interface and if you run a central hotspot and bridge all traffic to hotspot the do not allow intra-client traffic or your infrastructure will be used as a bouncer for simple user-user traffic. If you run a hotspot you might want to let customers reach “internet” only.
Some people who run hotspots tell me that unless you put alot of work into it, youe AP turn into a sitting duck for abuse and DoS (some kiddies love it).
You dont want usrs to be able to run ettercap or similar to perform network level man-in-the-middle attacks so basically no intra-client traffic possible is good. (For everything else they got Ad-Hoc mode 
Just my 2NOK