Block ARP requests (or broadcast message, if possible) from A SPECIFIC HOST in a subnet

I have achieved this requirement in 2 ways on Linux devices. I am still looking for ways to achieve this on Windows devices.

  1. By entering a static ARP entry for my gateway and then disabling ARP.
  2. Using arptable

First Method

ip neighbor add 172.xx.xxx.1 lladdr 84:xx:xx:xx:xx:80 nud permanent dev eth0

The above command needs ip-full package on OpenWrt systems. eth0 is my WAN interface. If there is already an entry for the gateway, use:

ip neighbor replace 172.xx.xxx.1 lladdr 84:xx:xx:xx:xx:80 nud permanent dev eth0

Now disable ARP. Use any one of the commands.

ip link set dev eth0 arp off
ifconfig eth0 -arp

To re-enable later, use:

ip link set dev eth0 arp on
ifconfig eth0 arp

Second Method

This one is using arptables package. First, I have allowed my gateway. Then I have also allowed ARP in my LAN (br-lan interface) and finally blocked all other ARP

arptables -A INPUT -i eth0 -s 172.xx.xxx.1 --source-mac ac:xx:xx:xx:xx:xx -j ACCEPT
arptables -A INPUT -i br-lan -j ACCEPT
arptables -P INPUT DROP

You should modify the arptables rules according to your own requirements. the above rules will also stop you from pinging eth0 hosts because their ARP responses will be blocked too. You can add another rule "arptables -A INPUT -i eth0 --destination-mac e4:xx:xx:xx:xx:xx -j ACCEPT" where e4:xx:xx:xx:xx:xx is your eth0 MAC. This will allow all unicast ARP packets including ARP responses sent to your device.