m0n0wall Forum - Bridge & IP spoofing

Internal Side---M0N0---External Side
192.168.0.x (bridge)
172.x.x.x 172.x.x.x

Internal Side: 30 PC (2 IP for 1 machine), connected to switch, switch connected to netcard "Int" M0N0.

External Side: cable with 172.x.x.x network connected to netcard "Ext"
Bridge: broadcasting is necessary

Required:
Block access trom, to 192.168.0.x network through M0N0
Protect "Int" side machines with both net's (192.168.0.x, 172.18.x.x) from IP spoofing

used config:

<?xml version="1.0"?>
<m0n0wall>
   <version>1.4</version>
   <lastchange>1169699550</lastchange>
   <system>
      <shellcmd>kldload ipfw</shellcmd>
      <shellcmd>ipfw add deny all from 192.168.0.0/31 to any out via lnc2</shellcmd>
      <shellcmd>ipfw add deny all from any to 192.168.0.0/31 in via lnc2</shellcmd>
      <shellcmd>arp -s 172.18.2.204 00:0a:48:10:18:db</shellcmd>
      <shellcmd>arp -s 172.18.1.191 00:80:48:b5:a6:07</shellcmd>
      <shellcmd>arp -s 172.18.1.221 00:0d:61:58:2f:81</shellcmd>
      <shellcmd>arp -s 172.18.1.192 00:0d:61:58:2e:5b</shellcmd>
      <shellcmd>arp -s 172.18.1.193 00:0d:61:91:c5:9c</shellcmd>
      <shellcmd>arp -s 172.18.1.194 00:0d:61:91:b7:ab</shellcmd>
      <shellcmd>arp -s 172.18.1.208 00:0d:61:58:0a:cf</shellcmd>
      <shellcmd>arp -s 172.18.1.222 00:0d:61:58:2e:59</shellcmd>
      <shellcmd>arp -s 172.18.1.209 00:0d:61:91:c3:3e</shellcmd>
      <shellcmd>arp -s 172.18.1.210 00:0d:61:91:c4:50</shellcmd>
      <shellcmd>arp -s 172.18.1.211 00:0d:61:58:oa:91</shellcmd>
      <shellcmd>arp -s 172.18.1.212 00:0d:61:58:2e:5a</shellcmd>
      <shellcmd>arp -s 172.18.1.223 00:0d:61:55:3a:69</shellcmd>
      <shellcmd>arp -s 172.18.1.213 00:0d:61:58:09:47</shellcmd>
      <shellcmd>arp -s 172.18.1.214 00:0d:61:58:oa:90</shellcmd>
      <shellcmd>arp -s 172.18.1.215 00:0d:61:58:oa:92</shellcmd>
      <shellcmd>arp -s 172.18.1.216 00:0d:61:58:2f:7f</shellcmd>
      <shellcmd>arp -s 172.18.1.224 00:0d:61:58:oa:d0</shellcmd>
      <shellcmd>arp -s 172.18.1.217 00:0d:61:91:ae:7b</shellcmd>
      <shellcmd>arp -s 172.18.1.218 00:od:61:91:c4:2d</shellcmd>
      <shellcmd>arp -s 172.18.1.219 00:0d:61:91:41:aa</shellcmd>
      <shellcmd>arp -s 172.18.1.220 00:0d:61:55:22:6a</shellcmd>

      <hostname>m0n0wall</hostname>
      <domain>local</domain>
      <dnsserver/>
      <dnsallowoverride/>
      <username>admin</username>
      <password>$1$2xGLA75j$W/jiJc00HYBZX7kFjxjQv0</password>
      <timezone>Etc/UTC</timezone>
      <time-update-interval>300</time-update-interval>
      <timeservers>pool.ntp.org</timeservers>
      <webgui>
         <noassigninterfaces/>
         <protocol>http</protocol>
         <certificate/>
         <private-key/>
      </webgui>
      <disableconsolemenu/>
      <disablefirmwarecheck/>
      <harddiskstandby/>
   </system>
   <interfaces>
      <lan>
         <if>lnc0</if>
         <ipaddr>10.0.0.1</ipaddr>
         <subnet>24</subnet>
         <media/>
         <mediaopt/>
      </lan>
      <wan>
         <if>lnc1</if>
         <mtu/>
         <media/>
         <mediaopt/>
         <spoofmac/>
         <ipaddr>172.18.1.208</ipaddr>
         <subnet>16</subnet>
         <gateway>172.18.0.1</gateway>
      </wan>
      <opt1>
         <if>lnc2</if>
         <descr>bridge</descr>
         <ipaddr>192.168.0.253</ipaddr>
         <subnet>31</subnet>
         <bridge>wan</bridge>
         <enable/>
      </opt1>
   </interfaces>
   <staticroutes/>
   <pppoe/>
   <pptp/>
   <bigpond/>
   <dyndns>
      <type>dyndns</type>
      <username/>
      <password/>
      <host/>
      <mx/>
   </dyndns>
   <dnsupdate/>
   <dhcpd>
      <lan>
         <range>
            <from>192.168.0.251</from>
            <to>192.168.0.253</to>
         </range>
         <defaultleasetime/>
         <maxleasetime/>
      </lan>
   </dhcpd>
   <pptpd>
      <mode/>
      <redir/>
      <localip/>
      <remoteip/>
   </pptpd>
   <ovpn/>
   <dnsmasq>
      <enable/>
   </dnsmasq>
   <snmpd>
      <syslocation/>
      <syscontact/>
      <rocommunity>public</rocommunity>
   </snmpd>
   <diag>
      <ipv6nat>
         <ipaddr/>
      </ipv6nat>
   </diag>
   <bridge>
      <filteringbridge/>
   </bridge>
   <syslog/>
   <nat/>
   <filter>
      <rule>
         <type>pass</type>
         <interface>wan</interface>
         <source>
            <any/>
         </source>
         <destination>
            <any/>
         </destination>
         <descr/>
      </rule>
      <rule>
         <type>block</type>
         <interface>opt1</interface>
         <protocol>tcp/udp</protocol>
         <source>
            <any/>
            <port>67</port>
         </source>
         <destination>
            <any/>
            <port>67</port>
         </destination>
         <frags/>
         <descr>block ext bootpc</descr>
      </rule>
      <rule>
         <type>pass</type>
         <interface>opt1</interface>
         <source>
            <address>192.168.0.0/31</address>
            <not/>
         </source>
         <destination>
            <address>192.168.0.0/31</address>
            <not/>
         </destination>
         <descr/>
      </rule>
      <rule>
         <type>pass</type>
         <interface>lan</interface>
         <source>
            <network>lan</network>
         </source>
         <destination>
            <network>lan</network>
         </destination>
         <frags/>
         <descr>LAN to LAN subnet</descr>
      </rule>
      <tcpidletimeout/>
   </filter>
   <shaper/>
   <ipsec/>
   <aliases/>
   <proxyarp>
      <proxyarpnet>
         <interface>wan</interface>
         <network>172.18.0.0/31</network>
         <descr/>
      </proxyarpnet>
      <proxyarpnet>
         <interface>opt1</interface>
         <network>192.168.0.0/31</network>
         <descr/>
      </proxyarpnet>
   </proxyarp>
   <wol/>
   <captiveportal/>
   <shellcmd>kldload ipfw</shellcmd>
</m0n0wall>

Please help!