SOLVED: ARP Broadcasts are leaving subnet - Switch port violations - please help

Question

ARP Broadcasts are leaving subnet - switch port violations - please help 
 Hi, 
 I am running the UTM9 virtual appliance in a datacenter. The problem I have on this specific installation is that I got threathend by the hosting company (Hetzner/Germany) that they are going to shut down my server (ESXi 6.5) because they have multiple and permanet switchport violations on the switchport where my machine is attached. I am only allowed to connect to that switchport using MAC-adresses that I get assigned from Hetzner. So I bind these MAC&rsquo;s to the network cards in Esxi, and this works so far. BUT, and here the problem stays: all the MAC-addresses of the internal Vmware guests (behind the UTM9) in a private 192.168.0.0/24 network are seen at the switchport. This means ARP broadcasts are leaving the internal network (192.168.0.0/24 on interface eth1). Normally ARP broadcasts are stopped here and don&rsquo;t pass any subnets. 
 Eth0 is my public IP on the UTM, now when I do a &bdquo; tcpdump -i eth0 | grep ARP &ldquo; I see many many broadcasts like these: 
 14:30:02.990873 ARP, Request who-has 192.168.0.238 tell 192.168.0.11, length 46 14:30:02.990875 ARP, Request who-has 192.168.0.149 tell 192.168.0.11, length 46 14:30:03.006995 ARP, Request who-has 192.168.0.147 tell 192.168.0.11, length 46 14:30:03.022297 ARP, Request who-has 192.168.0.237 tell 192.168.0.11, length 46 14:30:03.022822 ARP, Request who-has 192.168.0.236 tell 192.168.0.11, length 46 14:30:03.022824 ARP, Request who-has 192.168.0.235 tell 192.168.0.11, length 46 14:30:03.404799 ARP, Request who-has 192.168.0.55 tell utm.hz6.xx.net, length 46 14:30:03.432743 ARP, Request who-has 192.168.0.39 tell utm.hz6.xx.net, length 46 14:30:03.490079 ARP, Request who-has 192.168.0.180 tell 192.168.0.11, length 46 14:30:03.948653 ARP, Request who-has 192.168.0.63 tell utm.hz6.xx.net, length 46 14:30:03.989290 ARP, Request who-has 192.168.0.149 tell 192.168.0.11, length 46 14:30:03.989379 ARP, Request who-has 192.168.0.147 tell 192.168.0.11, length 46 14:30:03.989380 ARP, Request who-has 192.168.0.237 tell 192.168.0.11, length 46 14:30:03.989380 ARP, Request who-has 192.168.0.236 tell 192.168.0.11, length 46 
 So all these requests reach the switchport also and create the swithport violations there. 
 This is a really critical situation, as the hosting company will shut down my server soon if I don&rsquo;t stop spoofing that port with not allowed MAC-addresses (MAC&rsquo;s that are coming from my internal machines behind the UTM). 
 I have opened a ticket with Sophos 3 days ago, today finally I got a call from India, who I hardly was able to understand. All he did was saying &bdquo;> They are all the arp request generating which can be controlled from the switch end.&ldquo; Totally bs. Any advice? The strange thing ist hat I have the complete same setup running on other servers there as well, and there no ARP broadcasts from internals are seen on the public interface at the UTM, so not reaching any unallowed ARP traffic on the public switchport in the datacenter. Thanks for helping me to fix this and find the cause of this behaviour.

GKR · Accepted Answer

I finally found the solution: The reason why ARP broadcasts left the internal Nic's was because VMware Esxi broadcasted them. The Nic's there where bridged. So I created a new natted virtual switch and a new portgroup with VMware ESXi (6.5u2) and assigned the private IP's on the UTM and the private IP's on the VMware guests to these ports. Since then no ARP broadcast left the natted Network.