I am running Opnsense firewall. I have static ARP entries set to "required" and setup each client with DHCP / mac address filtering and ARP entry. I also have option for "deny unknown clients" DHCP.

Now I setup an ARP poisoning attack using Ettercap between 1 client and the firewall. The attack is successful.

On the client machine arp -a shows that the MAC address of the firewall changes to Ettercap's address however on the Opnsense box the MAC address of the client stays the same (ie is the real MAC of the client not the ettercap address).

So only the client needs the ARP poisoning to be successful ?