We have a bridge with many VLAN “tunnel” interfaces, all with the same “Horizon”, so they don’t share the same broadcast domain. But as we need to allow them to communicate with each other, we have set the bridge ARP setting to “local-proxy-arp”.
Now, in the same bridge, we need to disable the dinamic ARP learning, so that only “static” ARP entries are used. So we should set the bridge ARP setting to “reply-only”.
Is there a way to get BOTH functionality (“local-proxy-arp” and “reply-only”) in the same bridge interface?
I’d say the answer is “set arp=local-proxy-arp and use /interface bridge filter add chain=output mac-protocol=arp arp-dst-mac-address=ff:ff:ff:ff:ff:ff/ff:ff:ff:ff:ff:ff out-bridge=your-bridge-name action=drop to provide the arp=reply-only behaviour”, which is possible on a bridge but wouldn’t be possible on an interface which is not a member of a bridge. You may have to fiddle a bit with the rule, though, I had no chance to try it live. So first add the rule with out-interface=name-of-just-one-of-the-bridge-interfaces in it, so that you don’t lock yourself out of the device.