Hello,
When configuring ARP mode on any interface (ethernet / vlan / bridge), it would be nice to select both modes :
local-proxy-arp
reply-only
Some kind of :
/interface/bridge
set [find where name="bridge"] arp=local-proxy-arp,reply-only
This behaviour would effectively implement router-side a complete IP guard protection, given that every down switch has port protection on all ports except upstream, while still allowing two clients of same network to communicate through the router.
I’ve found the MAC address based filtering doesn’t always work properly in the bridge filter. Trying to do a bridge filter to match just BPDU packets ends up matching packets that have completely different MAC addresses that should not be matched by the bridge filter rule. It seems to be a bug. I haven’t tested in v7, it might behave differently with a newer ebtables version.
The easiest way for them to do this would probably be to make yet another setting that has them combined, something like local-proxy-arp-and-reply-only.
Opened SUP-62240 to highlight this request.
From an outside point of view, things are always easier… but I trust it would not be big work to implement as the two functions are already operational (for more than a decade).
A moment later but would be very appreciated. I wondered if it could work using a bridge, setting the arp setting of the bridge to “reply only” and the interfaces of the bridge on “local-proxy-arp”.