Creating a "non-bridge"

[Brett Glass]

I'd like to create what might be called a "non-bridge" on a FreeBSD machine. I'd like to put two Ethernet interfaces on the machine which have the same IP address and subnet, and use those interfaces to communicate with clients. However, I do not want the clients on one interface to be able to send packets through to the clients on the other interface.

Why would I want to do a thing like this? Well, as you probably know, wireless access points often have a "client isolation" option which allows the clients to talk to the AP (and the Internet) but not to one another. This is a good thing, because it prevents users of the wireless LAN from hacking one another; each of them can only see what's "upstream" of the access point.

I have a situation where I need to put up more than one AP, on the same subnet, behind a FreeBSD machine which will be serving as an Internet gateway. I'd plug both APs into a switch and connect the switch to the FreeBSD machine, but if I did this, the access points' "client isolation" feature would not be sufficient to isolate all of the clients from one another. Each AP would isolate its OWN clients from one another, but would let each of them communicate with ALL of the clients on the other AP! 

My first idea of how to solve this problem is to set the FreeBSD machine up as a bridge, but then block all packets that try to go in one Ethernet interface and out the other. But will this work? Will the FreeBSD machine know which interface to use to communicate with each client, and only send packets for each one out of the appropriate interface? Also, is there a way to do this without putting the interfaces into promiscuous mode (which slows things down considerably)? After all, since the FreeBSD machine is acting as a gateway, it should really only look at packets that are addressed to it.

--Brett Glass