Shorewall users - May 2011 - ARP

Hi,

I''ve run into a network problem and I''m trying to figure out
the quickest route out.

I have a shorewall router with several zones but I have different physical hosts
with the same IP addresses in 2 different zones (lan and caib).

My interfaces file contains the following:

lan     $IF_LAN         detect          routeback,proxyarp=1
wan     $IF_WAN         detect          routeback,proxyarp=1
caib    $IF_CAIB        detect
dmz     $IF_DMZ         detect          dhcp,proxyarp=1
road    ppp+

I need "lan" hosts to communicate with certain IP ranges in the caib
zone (and that works fine).
However, I don''t want to allow traffic from "lan" to a
specific IP range in "caib" (say, 10.215.146.0/24).
At the same time, I want to be able to have hosts within the lan zone to have
static IP addresses within 10.215.146.0/24.

Default firewall policy and rules are set up to block most traffic from
caib<->lan zones.
However, ARP requests still go through as expected. So if by any chance
there''s another host in the "caib" zone with the same IP
address, the hosts in the
"lan" zone will fail to assign their static IP address because a
network conflict will arise, saying that there is a host in the caib zone with a
certain MAC addr. that already has that IP address.

So is there a way for me to ignore or "poison" ARP messages for a
specific IP range (eg.  10.215.146.0/24) and just for the "caib" zone?
I know I can "switch ARP off" on a per-ethernet device basis but if I
did that then wouldn''t it clobber "legitimate" traffic
to/from CAIB hosts that, say, are not within the 10.215.146.0/24 range?

Or is there any other solution, apart from changing the "lan"
hosts'' IP addresses to a non-overlapping value?

Thanks,

Vieri
PS: I''ve heard of "arptables" but haven''t even tried
it and am not sure it can help.


------------------------------------------------------------------------------
WhatsUp Gold - Download Free Network Management Software
The most intuitive, comprehensive, and cost-effective network 
management toolset available today.  Delivers lowest initial 
acquisition cost and overall TCO of any competing solution.
http://p.sf.net/sfu/whatsupgold-sd

This seems to help and I''m supposing it''s enough.

interfaces file:
caib $IF_CAIB  detect arp_filter=1


------------------------------------------------------------------------------
WhatsUp Gold - Download Free Network Management Software
The most intuitive, comprehensive, and cost-effective network 
management toolset available today.  Delivers lowest initial 
acquisition cost and overall TCO of any competing solution.
http://p.sf.net/sfu/whatsupgold-sd