Velvet Star Monitor

Standout celebrity highlights with iconic style.

updates

Block ARP requests (or broadcast message, if possible) from A SPECIFIC HOST in a subnet

Writer Matthew Martinez

My ISP provide username-password for authentication and also register the client's MAC address for authentication.

I am concerned about someone misusing my connection while I am not using it. Usernames are easy to guess (clients can't change usernames, only passwords can be changed) and if anyone finds MAC address and password, they can use my connection.

Now, the ISP don't use private VLAN, so MAC addresses are easy to get. A simple ARP broadcast requests from a host within my subnet will reveal my MAC and I am not relying on password because the authentication page doesn't use HTTPS. So, my passwords are sent in plain text.

In this scenario, I want to block/drop/reject ARP request (or any broadcast requests) from any host within my subnet but the gateway.

I have looked this question and this question but the OP tried to block all ARP requests. Of course, this is a bad idea because then I won't get any internet traffic from the gateway. I just want to block ARP request (if possible any broadcast request) from any random host in my subnet, but only allow broadcast/ARP from my gateway.

I am using OpenWrt in my wireless router. So, I think Linux solutions will work and if possible, please also provide Windows solution.

4

1 Answer

I have achieved this requirement in 2 ways on Linux devices. I am still looking for ways to achieve this on Windows devices.

  1. By entering a static ARP entry for my gateway and then disabling ARP.
  2. Using arptable

First Method

ip neighbor add 172.xx.xxx.1 lladdr 84:xx:xx:xx:xx:80 nud permanent dev eth0

The above command needs ip-full package on OpenWrt systems. eth0 is my WAN interface. If there is already an entry for the gateway, use:

ip neighbor replace 172.xx.xxx.1 lladdr 84:xx:xx:xx:xx:80 nud permanent dev eth0

Now disable ARP. Use any one of the commands.

ip link set dev eth0 arp off
ifconfig eth0 -arp

To re-enable later, use:

ip link set dev eth0 arp on
ifconfig eth0 arp

Second Method

This one is using arptables package. First, I have allowed my gateway. Then I have also allowed ARP in my LAN (br-lan interface) and finally blocked all other ARP

arptables -A INPUT -i eth0 -s 172.xx.xxx.1 --source-mac ac:xx:xx:xx:xx:xx -j ACCEPT
arptables -A INPUT -i br-lan -j ACCEPT
arptables -P INPUT DROP

You should modify the arptables rules according to your own requirements. the above rules will also stop you from pinging eth0 hosts because their ARP responses will be blocked too. You can add another rule "arptables -A INPUT -i eth0 --destination-mac e4:xx:xx:xx:xx:xx -j ACCEPT" where e4:xx:xx:xx:xx:xx is your eth0 MAC. This will allow all unicast ARP packets including ARP responses sent to your device.

2

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password

Post as a guest

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

Similar Journal

View All

Can you buy Daedric / Dragon Bone armour?

May 2026

How can I delete local content from a game not in my list in Steam?

May 2026

Why are my settlers not doing their jobs and refusing to stay assigned?

May 2026

Loot amount in town hall

May 2026