I need help setting up a vpn connection with minimal datausage

[pwhooftman]

I have softether installed in a docker container on my synology NAS> A Teltonika 4G router connects to the Softether server via its OpenVPNclient. SecureNAT is enabled. Connected to the Teltonika router is an ESP8266 which collects voltage and temperature data and uploads it to my MQQT server, which is running in another Docker container on my NAS>

Because the VPN connection between the remote Teltonika 4G router (client) en my Softether server is made through 4G, minimal usage of data is important. I cannot make the SecureNat protocol send less Arp4 broadcast packets than every 5 seconds (despite setting HUB_ARP_SEND_INTERVAL to higher values and setting the 'polling' parameters to 1/true.

So i changed my softether docker container from the network 'bridge' to the netwok 'host', so i can set a local bridge in softether and disable secureNAT. But the effect is that all other broadcasts in my LAN are then sent through the VPN connection to the client. How can i make softether block all LAN traffic not specifically targeted to my VPN client from being sent through the VPN tunnel? So this is basically a networking question, but i need guidance. Any help is appreciated.

[solo]

"These internal ARPs do not register on Wireshark and can not possibly have any impact on your data costs"

As for bridge broadcasts, use L3 switch to eliminate them.

[pwhooftman]

As for bridge broadcasts, use L3 switch to eliminate them.

Many thanks. So, to implement L3 switching, i could
- create Virtual Hub #1 and connect that through a local bridge to my LAN
- create Virtual Hub #2 to which i let my VPN clients connect
- create a L3 switch between Virtual Hub #1 and Virtual Hub #2 to prevent broadcasts from my LAN reaching my VPN Clients?

Edit: ARP packets are non-routable packets, how would that work in a L3 switch if i cannot designate IP adresses or ranges to block?

Edit2: is the answer in my question, won't the ARP packets reach the other Virtual Hub through the L3 switch because they are non-routable?

[solo]

Yes, but SecureNAT is the simplest solution, and again "These internal ARPs do not register on Wireshark...".

[pwhooftman]

Yes, but SecureNAT is the simplest solution, and again "These internal ARPs do not register on Wireshark...".

"These internal ARPs do not register on Wireshark..." , but these packets travel to the remote vpn client via the mobile connection and will be counted as traffic by the mobile provider, won't they?

[solo]

Damn, I should've completed the sentence "...and can not possibly have any impact on your data costs".