pfSense

Configuration of static ARP entries is done through the DHCP server interface, even if it is not enabled. When using a /31 on an interface, the option for DHCP on that interface never appears and there is no way to configure static ARP entries.

I am (ab)using OpenVPN to extend my network across wireless bridges to mitigate both KRACK and future WPA2 exploits on certain devices until I can run wired ethernet. I have it connect to a WPA2 Enterprise network (using EAP-TLS) which gets assigned to a special VLAN by freeRADIUS. On that network, I only need 2 IP addresses, so I am using a /31. I want to configure static ARP entries on both ends to protect against ARP poisoning attacks should something break WPA2 in the future, but then I run into the issue I described above. I will likely switch to a /30 to workaround it, but we need a better way to configure static ARP entries. Something like duplicating the function in the interface configuration would solve this problem and if the scripts underneath don't somehow rely on dhcp to do the static ARP assignments, this should be easy to do.