Dynamic ARP Inspection Equivalence

Hello!

I have an issue that I have came up blank to, and looking for people much brighter and skilled to lend some of their talent.

I’ve got a virtualized VyOS router in Proxmox that has a virtual bridge interface that VMs live on that connect it to the appropriate interface in Proxmox. This is for a small hosting provider that I volunteer at.
The issue that we have is that it is theoretically possible for clients to “IP Hop”, they can give themselves more IP addresses or take other tenant’s IPs as they please since their VM’s network adapter connects to the VyOS interface with a /28 assigned.

I am wondering, is there a way to essentially set it up so that no IPs can be assigned/permitted unless manually via Dynamic Arp Inspection or any equivalence. I tried disabling ARP Ignore to no success, and static ARP assignments to little/no success.

Any thoughts & comments are much appreciated.

I imagine assigning VIFs with /30- 31’s for each customer would work, but if there is better ways please do chime in!

Can you attach L3 firewall ruleset to individual bridge interface?
A simple rule, only allowing tenant source IP(s), and blocking the rest will protect from “misconfigurations” on customer end.

Thank you much for the reply, I’ll have to lab this up and try it. I have a couple ideas, if I come to one that works best for me I’ll have to drop it here for any on-lookers