> I wonder if adding the client to the NoCat_Inbound chain will be enough?
It doesn't seem to be, and you can see why.
Assume Client A and Client B are associated with Node N.
A and B won't use Node N to talk IP to one another since they're on the same subnet. They'll just ARP for one another and go from there.
Is this a hostAP setting?