Using gateway=someinterface is only valid for point-to-point interfaces, and using the same subnet on different interfaces requires special handling.
Port isolation or bridge horizon would be a more usual approach for isolating clients within the same L2 network.
Thank you for reply,
I was looking for "easier" way than bridging )
As from manual, proxy-arp should exactly be it in my case.
My scenario is that I host VMs for clients using both real and private IP space. Making /30 subnets for real IP space is "expensive".
Also, in setup I described, I only need to setup firewall rules in firewall->filter and they would both work for wan and "inter-client" communication. In case with bride I'd need to create bridge filtering as well )
But the setup looks little complicated, I agree with you ))