Block ARP requests (or broadcast message, if possible) from A SPECIFIC HOST in a subnet
I have achieved this requirement in 2 ways on Linux devices. I am still looking for ways to achieve this on Windows devices.
- By entering a static ARP entry for my gateway and then disabling ARP.
- Using
arptable
First Method
ip neighbor add 172.xx.xxx.1 lladdr 84:xx:xx:xx:xx:80 nud permanent dev eth0
The above command needs ip-full package on OpenWrt systems. eth0 is my WAN interface. If there is already an entry for the gateway, use:
ip neighbor replace 172.xx.xxx.1 lladdr 84:xx:xx:xx:xx:80 nud permanent dev eth0
Now disable ARP. Use any one of the commands.
ip link set dev eth0 arp off
ifconfig eth0 -arp
To re-enable later, use:
ip link set dev eth0 arp on
ifconfig eth0 arp
Second Method
This one is using arptables package. First, I have allowed my gateway. Then I have also allowed ARP in my LAN (br-lan interface) and finally blocked all other ARP
arptables -A INPUT -i eth0 -s 172.xx.xxx.1 --source-mac ac:xx:xx:xx:xx:xx -j ACCEPT
arptables -A INPUT -i br-lan -j ACCEPT
arptables -P INPUT DROP
You should modify the arptables rules according to your own requirements. the above rules will also stop you from pinging eth0 hosts because their ARP responses will be blocked too. You can add another rule "arptables -A INPUT -i eth0 --destination-mac e4:xx:xx:xx:xx:xx -j ACCEPT" where e4:xx:xx:xx:xx:xx is your eth0 MAC. This will allow all unicast ARP packets including ARP responses sent to your device.