Practical Networking .net

Proxy ARP

This article is a part of a series on Address Resolution Protocol (ARP). Use the navigation boxes to view the rest of the articles.


Address Resolution Protocol

We’ve discussed the use cases and role of traditional ARP in the prior article of this series. In this article we will discuss Proxy ARP and its role and significance.

Proxy ARP occurs when one node is responding to an ARP request on behalf of another node.

Proxy ARP is not a malicious event, it occurs to enable connectivity between two hosts that wouldn’t otherwise be possible.


Original Use Case

The original thought process for Proxy ARP was to accommodate hosts with misconfigured subnet masks.

As we’ve discussed before, when a host is speaking to another host on the same IP network, the target for the ARP request is the other host’s IP address. If a host is speaking to another host on a different IP network, the target for the ARP request will be the Default Gateway’s IP address.

The item which tells a host whether another IP address is on the same network or a different network is the subnet mask. This topology will illustrate how it works:


Host A is configured with the IP address and a subnet mask of (or /24 in CIDR). Host A will consider any IP address in the range of on its local network.

Host B is configured with the IP address and misconfigured with a subnet mask of (or /16 in CIDR). Host B will consider any IP address in the range of on its local network.

Presume both of these hosts are trying to speak to Host D, which exists on a different network and has the IP address

When Host A tries to speak to, it would (correctly) consider Host D on a different network and would use traditional ARP to send the packet to the default gateway.

However, when Host B tries to speak to, it would (incorrectly) consider Host D on the same network and would instead try to ARP for Host D’s MAC address directly.

Host B’s ARP Request will be broadcast to the local network, but will never make it across the Router to Host D. Therefore, the ARP Request will go unanswered, and Host B will be unable to communicate with Host D.

Unless the Router itself responds to Host B’s ARP Request on behalf of Host D – which is the exact definition of a Proxy ARP.

Here is the process in action (Host A is not pictured):

Proxy ARP - Practical Networking .net

The ARP Response sent by the Router looks exactly like a normal ARP response. Host B will use the response to create an ARP mapping that states the IP maps to the MAC address 0053.ffff.9999. All subsequent packets sent to Host D will use this MAC address in the L2 header.

So despite the misconfigured Subnet Mask, Host B will be able to speak to Host D, due to the Router’s heroic use of Proxy ARP.


That being said, it does impose additional work load on the Router. We used the specific example of Host D’s single IP address, but due to Host B’s misconfigured subnet mask there are roughly 65,000 IP addresses that Host B now considers on its local network. When in reality only about 250 could possibly exist on its local network.

So while Proxy ARP enabled connectivity in this example, it unfortunately does not scale indefinitely and should not be relied upon. The long term solution is to correct the misconfigured Subnet mask on Host B.

Moreover, this specific use case for Proxy ARP is based solely around enabling routing despite there being a misconfiguration. With Proxy ARP, Host B may never even realize it has an incorrect Subnet Mask.

There is another school of thought that instead would prefer Host B’s misconfiguration to cause the communication to fail in order for Host B to be notified that something is wrong. Thereby creating an opportunity for Host B to fix the root problem.

Many routers these days do not send Proxy ARPs by default for this very reason. Although most include a way to enable it if desired.

That said, there is a very important and legitimate use case for Proxy ARP — one which does not stem from a misconfiguration. We’ll take a look at it after exploring the Packet Structure for Proxy ARP next.

Proxy ARP Packet Structure

The ARP Request looks identical to the traditional ARP Request we looked at in the last article. In fact, it is a traditional ARP request, as the initiator of the ARP Request does not know whether the response will come in via proxy.

The Proxy ARP Response is slightly different, but has the same packet structure as the traditional ARP Response packet:


Notice the response is sent Unicast, directly from the Router’s MAC address to Host B’s MAC address.

The Opcode still contains the value 2, indicating an ARP response.

The crux of the Proxy ARP is in the Sender MAC and Sender IP address fields.

Notice, the Sender MAC address is the Router’s MAC address, but the Sender’s IP address is Host D’s IP address. The Router is providing its own MAC address as the owner for another hosts IP address, hence responding to the ARP on behalf of Host D.

Finally, the Target MAC and Target IP address fields, as expected, contain the information correlating to Host B, which is the intended recipient of this ARP Response.

You can download the packet capture of the Proxy ARP conversation above here. It can be studied using Wireshark.


Proxy ARP in Network Address Translation

Earlier we discussed Proxy ARP and its use case for routing for misconfigured hosts. Of course, that use case all but disappears if every host is configured properly.

However, there is a very legitimate and necessary use case for Proxy ARP, and that has to do with Network Address Translation, or NAT.

We will use this topology to describe it:


Our Firewall has the IP address in the network. Our Firewall is also configured with a Static NAT that translates the IP address to These IP addresses belong to Host Y, with the IP address Host X is simply some host on the other side of the Internet, using the IP

If Host X sends a packet to Host Y, that packet will have a Source IP of and a Destination IP of Routing will take that packet across the internet until it finally arrives at Router C.

Router C now needs to deliver a packet that is destined to a network it is directly attached to ( Router C initiates an ARP Request to determine the MAC address which owns the IP address

But the device which owns that IP address is Host Y, which is not in the same network as Router C. So Host Y would be unable to respond to this query.

The Firewall, however, having been configured to translate packets from to, knows it must receive the packets destined to so that it can translate them and deliver them to Host Y.

Therefore, the Firewall will use Proxy ARP to respond to Router C’s ARP Request for the IP address on behalf of Host Y.

The entire process is illustrated in this animation:


If not for the Firewall participating in Proxy ARP, the Network Address Translation would fail, since packets sent from Router C would never arrive to the Firewall.

Hence, for Network Address Translation to work properly, the translation device must use Proxy ARP to properly receive packets to be translated.

As demonstrated, any NAT deployment will require the use of Proxy ARP to properly receive packets which must be translated.

There are ways around requiring Proxy ARP on a NAT device, but they involves using Static Routes on the upstream Router to manually instruct the Router to send packets which must be translated to the Firewall’s interface. While viable, this solution does not scale.


Series Navigation<< Traditional ARPGratuitous ARP >>


  1. Thank you so much for sharing this! Excellent explanation! =)

  2. abdo refky says

    Well said,

    The nat section is a great info

  3. abdo refky says

    I have a question if you

    Will the firwall then check the nat table and if entry found . It will replay with proxy arp ?

    • Hi Abdo, the Firewall would probably respond with a Proxy ARP whether a NAT table entry exists or not. Recall, some versions of NAT are bi-directional, and traffic must be able to arrive to the firewall whether it was initiated by the Internet host or the Inside host.

  4. Hi,

    Thanks for such detail articles. Finding them very useful. I have a question in this particular topic. Do you have a seperate firewall device or the firewall on the Host Y?
    1. If Firewall on Host Y, then do we need the address translation, its as good Host Y owning the 72.x ip as well and any communication to 72.x IP will reach to it with direct routing and traditional arp.
    2. If Firewall is external to it, does it have a different IP? And along with responding its own IP its also proxy responding to Host Y IP? (means the .1 and .2 interfaces on firewall have different IPs but are transparent to outside world?

    Can you please elaborate. Thanks.

    • Hi Agveer,

      #1 — If Host Y was on the same network as RouterC (72.3.4.x.0/24), then when RouterC issued the ARP request for

      #2 — Yes, the Firewall has a different IP address ( tan that of the translations.

  5. Hi ed,

    Actually with static NAT on a CISCO router, the proxy ARP is not needed. As soon as the static NAT command is entered, the router create a static ARP entry with his own mac-address.
    For the (Inside Global) (Inside local).

    I guess the behavior is the same with real FW.

    But thank you for the serie on ARP, i’ve learned some new things and other things are more clear now.

    • Hi PacketX,

      Proxy ARP exists for the purpose of the upstream Router — not the Router or Firewall upon which the Static NAT is configured.

      In the illustration, Router C needs an ARP mapping for the IP address The Firewall is the device with the NAT configuration, and the Firewall must respond to the ARP Request sent by Router C. The Firewall is responding to the ARP Request by Proxy, i.e., on behalf of Host Y.

  6. Mário Jorge Santos says

    Thank you for sharing this very good explantion! Very helpfull infos!

  7. First, love the blog! Really helpful in starting my CCENT studying.

    1. Just to clarify, if host Y were to respond to host X, would the source IP be Would the firewall then change the L3 header with NAT translation?

  8. your explanation is very clear and useful

    Thank you very much.

  9. David Livingston says

    Thanks A LOT for helping beginners like me… Quick and Clear way of explanation is where You stand high…

  10. Balachandhar S says

    Excellent explanation.. Thank you very much.

  11. Kaushal Kishore says

    Proxy Arp will not take place for the Private IP of Y but for the Interface IP of the FW which will be configured on the external interface

    • Actually, it won’t take place for either. The Proxy ARP will occur for the Public IP of Host Y.

      If the packet were sent to the Firewall’s Interface IP (.2), it would simply be a traditional ARP. But the packet is sent to Host Y’s Public address, and the Firewall must answer on behalf of Host Y.

  12. Hey Ed,
    Thanks for the wonderful articles.
    They are really helpful i read types of Arp and its pretty sorted.
    going through Vlan sections now

    However i have few doubts.

    when the packet at C asks for an Mac address for host — what is host here.
    firewall? / some devices missing from the diagram?

    Because provider edge router C is asking for the mac address of the customer edge device(firewall doing Natting)
    then why do we need to enable proxy?

    wont the layer 3 header be changed at customer edge device (firewall in your case)

    confused ??? please assist ?

    • The “Provider Edge Router C” has a directly connected interface to the network — anytime it tries to deliver a packet to anything in this range it will issue an ARP Request on that interface. See the finale of the Packet Traveling series for more details.

      Remember, there might be many different hosts/firewalls/clients owning IP addresses in the range. The firewall owns the IP address The Firewall is also using the IP address in a Static NAT for Host Y with the IP

      When the Router issues an ARP Request to resolve the IP, the Firewall will respond with an ARP Response.

      When the Router issues an ARP Request to resolve the IP, the Firewall will respond on behalf of Host Y, due to the Static NAT configuration.

      From the Router’s perspective, these ARP responses will look the same.

      The L3 header between Router C and the Firewall will not be changed, the packet will be delivered to the Firewall with a destination IP address of The Firewall will then change the L3 header to to accommodate the Static NAT configuration.

      • ED,
        In the routing table of C,
        the next hop for the network will be or what?
        generally wont it arp for to reach network// or since its a 1-1 mapping
        it’ll arp instead of just because its static
        is that what you mean?

  13. Stefano Fereri says

    Your articles are really helpful, because you do what most writers cannot achieve: You explain it in an understandable way.

    But one thing in this part of the series is funny: Do you really want to state, that Proxy ARP is intended as a means to prevent missconfigured computers from not working??


  14. Stefano Fereri says

    Yes, and as afnaan says, there are doubts. When you state that “the device which owns that IP address [] is Host Y” this is not correct in my opinion. IP address of Host Y is In your example is the second IP address of the firewalls interface (beside There is no need to do Proxy ARP (but to do NAT).

    • At this point you’re getting into semantics. Certainly, the case could be argued that the Firewall actually owns (and not Host Y), and is therefore only responding to a ARP regularly (not via proxy).

      It might be different for various Firewall manufacturers, but on the Cisco ASA, if you disable Proxy ARP, you disable the Firewall from responding to the ARP from Router C. And if Cisco is content calling that a Proxy ARP, I am inclined to agree ;).

      Either way, NAT will still occur on the packet, that process is independent of the Proxy ARP. The Proxy ARP simply serves to get the packet to the Firewall, the Firewall can then do with the packet as it pleases.

      >> But one thing in this part of the series is funny: Do you really want to state, that Proxy ARP is intended as a means to prevent missconfigured computers from not working??

      Absolutely =)

  15. Hi I love your blog, it’s very informative:

    Just a question.

    Why Host Y has two IP addressess and

    Is the IP address belongs to Host Y or belong to Firewall.

    Please Explain

  16. Mohamed Anwar Abdul Lattif says

    Thanks Ed for this wonderful article on Proxy Arp.

  17. Loved it…thanks much for sharing !! Cheers !!

  18. ahmed bahgat says

    thanks so much this is so helpfull and easy learned

  19. Hi
    Thanks for the detailed explaination.
    I have a question say there is one more device Z with IP and same public address is configured as NAT for device Z. In this case when HOST X sends arp request with dest IP as what will the returned mac address .. is it Host Y mac or Host Z mac???


    • Hi Rakshith.

      Host X will not send an ARP for either of those IP addresses, it will send the packet to Router A (Host X’s default gateway).

      When the packet gets to Router C, Router C will send an ARP for, and the Firewall will respond with the Firewall’s MAC address. The firewall is answering on behalf of Host Y and Z, based upon the Static Translations that are configured. The firewall is therefore performing a Proxy ARP.

      Hope it helps.

  20. Hi and thanks for the explanation.
    One question though, I have a similiar situation in my network and I always disable proxy arp on interfaces, however NAT seems to bypass it. How come?

    • Hi Edo. Depending on the addresses you are using in NAT, it’s possible NAT will not function without Proxy ARP. When you disable Proxy ARP, it might just be disabling the first use case for Proxy ARP above. But that is just a guess, it’s probably different for each vendor and router. You’ll have to reach out to your device’s support channels.

  21. Really lots of hard work done to make it simplest.
    In fact i am beginner, but still I could understand.

  22. Mark OConnor says

    Internal/External Routing Protocols would also work in place of a static route.

    Good Article

  23. Hi, is this a Cisco-specific setup?

    For my understanding, it makes no sense to do Proxy-ARP and DNAT at the same time?

    In one case, there are two public addresses on the facing interface of the firewall ( and In this case I can make a simple DNAT pointing to

    In the other case, the is bound on Host-Y. In this case, Proxy-ARP on both Interfaces of the Firewall is required.

    But why do you suggest Proxy-ARP and DNAT at the same time? Is this Cisco-specific?


    • No, this isn’t just a Cisco-ism.

      > In one case, there are two public addresses on the facing interface of the firewall ( and In this case I can make a simple DNAT pointing to

      Consider Router C. What will it do when it receives the packet with a destination IP address of In particular, consider what address it ought to use as the L2 destination to get the frame to the Firewall.

      You’ll find that unless you add specific configuration on Router C (i.e., a Static Route for IP address), it will simply ARP to the entire network. The Firewall in that case must respond with it’s own MAC address in order to receive the packet to begin with.

  24. Is there a scenario where proxy arp would cause a firewall to respond for an external address where there is no NAT rule defined and create a potential IP conflict with other devices attached to router c?
    To use your NAT illustration; traffic from, destined for a server host at and connected to router c (it appears you have only a single address nat-ed and it is .55, not other addresses in like .54, thus leaving them open for use by hosts like this fictitious server on .54).

    Can you describe the conditions needed to cause this conflict situation, why this would be desirable behavior and how to work around it (perhaps intentionally create a nat for the and set it to no-proxy-arp, thus removing this one address from arp response to router c and allowing the traffic to flow to the actual server host at
    Thank you for the help.

    • As BryanB’s colleague, to clarify, the scenario would be 2 firewalls attached to router C on the same subnet with their own private networks behind them maintaining separate, non-conflicting IP’s and NAT tables. Would both firewalls respond to an ARP request if only one of them had a matching NAT table entry simply because they are on the same subnet?

      If so, how could that be avoided? The end goal is to have multiple tenants using the same public subnet without interference.

      • Hi Dustin / Bryan,

        The question is borderline unanswerable without knowing the specifics of what firewall, what model, what configuration, and so on. So understand the answers below are broad strokes and will undoubtedly have exceptions.

        That said… typically, no, a Firewall would not Proxy ARP for an IP address it does not have a NAT translation configured for. Moreover, if there weren’t any tricky Routing deployments, you would also not expect the FW to offer Proxy ARP for that reason as well.

        However, you mentioned separate non-conflicting IPs and NAT tables — this leads me to believe there probably was a stray NAT configuration on one or the other Firewall which could easily have caused Proxy ARP for the other’s IP Space.

        The scenario you describe:

        > The end goal is to have multiple tenants using the same public subnet without interference.

        Is a bit of an impossibility. If the tenants are controlling the Firewall, there is no shortage of harm they could cause (maliciously or inadvertently) to each other’s traffic. There are some Networking games you can play to limit this, but at the end of the day, if you want to remove the possibility of interference, they should not share the same IP network.

        If you (the Admin) controls both Firewalls, then you ought to be able to set it up so one cannot affect the other, even if they are using shared IP space on the Outside.

        Hope this helps. Feel free to reach out on Discord if you want to discuss it further. (

    • Hi Bryan, I responded to your colleague Dustin here.

      • Thank you Ed, particularly for giving BOTH answers; the technical one that explained that there would not normally be a proxy-arp response for an address that has no NAT defined behind it (this helps us with flexibility in how we use our addresses going forward), and then the ideal answer to limit risk in a multitenant situation (this will help us create a plan to limit risk in the future… from a tenant misconfigured NAT as just one example).
        Much appreciated.

Speak Your Mind