O que você quer é realmente possível, mas requer um kernel Linux bem recente (> = 2.6.34, ou um backport).
A opção que você precisa é /proc/sys/net/ipv4/conf/*/proxy_arp_pvlan
:
proxy_arp_pvlan - BOOLEAN Private VLAN proxy arp. Basically allow proxy arp replies back to the same interface (from which the ARP request/solicitation was received). This is done to support (ethernet) switch features, like RFC 3069, where the individual ports are NOT allowed to communicate with each other, but they are allowed to talk to the upstream router. As described in RFC 3069, it is possible to allow these hosts to communicate through the upstream router by proxy_arp'ing. Don't need to be used together with proxy_arp. This technology is known by different names: In RFC 3069 it is called VLAN Aggregation. Cisco and Allied Telesyn call it Private VLAN. Hewlett-Packard call it Source-Port filtering or port-isolation. Ericsson call it MAC-Forced Forwarding (RFC Draft).
O commit do upstream adicionando este suporte é 65324144b50bc7022cc9b6ca8f4a536a957019e3 .