Skip to content
Practical TLS - October Sale
October is my birthday month, which makes for a good excuse to discount my most popular course: Practical TLS.

Use code OctBDAY2024b to get the course for $58 (originally $297).

Purchase here. Or, for more info on the top rated course on TLS, click here.

Code expires Oct 14, 2024.

Proxy ARP

    Proxy ARP

    This article is a part of a series on Address Resolution Protocol (ARP). Use the navigation boxes to view the rest of the articles.

     

    Address Resolution Protocol

    We’ve discussed the use cases and role of traditional ARP in the prior article of this series. In this article we will discuss Proxy ARP and its role and significance.

    Proxy ARP occurs when one node is responding to an ARP request on behalf of another node.

    Proxy ARP is not a malicious event, it occurs to enable connectivity between two hosts that wouldn’t otherwise be possible.

    Original Use Case

    The original thought process for Proxy ARP was to accommodate hosts with misconfigured subnet masks.

    As we’ve discussed before, when a host is speaking to another host on the same IP network, the target for the ARP request is the other host’s IP address. If a host is speaking to another host on a different IP network, the target for the ARP request will be the Default Gateway’s IP address.

    The item which tells a host whether another IP address is on the same network or a different network is the subnet mask. This topology will illustrate how it works:

    arp-media-proxy-arp-topology

    Host A is configured with the IP address 10.0.0.11 and a subnet mask of 255.255.255.0 (or /24 in CIDR). Host A will consider any IP address in the range of 10.0.0.010.0.0.255 on its local network.

    Host B is configured with the IP address 10.0.0.22 and misconfigured with a subnet mask of 255.255.0.0 (or /16 in CIDR). Host B will consider any IP address in the range of 10.0.0.010.0.255.255 on its local network.

    Presume both of these hosts are trying to speak to Host D, which exists on a different network and has the IP address 10.0.4.44.

    When Host A tries to speak to 10.0.4.44, it would (correctly) consider Host D on a different network and would use traditional ARP to send the packet to the default gateway.

    However, when Host B tries to speak to 10.0.4.44, it would (incorrectly) consider Host D on the same network and would instead try to ARP for Host D’s MAC address directly.

    Host B’s ARP Request will be broadcast to the local network, but will never make it across the Router to Host D. Therefore, the ARP Request will go unanswered, and Host B will be unable to communicate with Host D.

    Unless the Router itself responds to Host B’s ARP Request on behalf of Host D – which is the exact definition of a Proxy ARP.

    Here is the process in action (Host A is not pictured):

    Proxy ARP - Practical Networking .net

    The ARP Response sent by the Router looks exactly like a normal ARP response. Host B will use the response to create an ARP mapping that states the IP 10.0.4.44 maps to the MAC address 0053.ffff.9999. All subsequent packets sent to Host D will use this MAC address in the L2 header.

    So despite the misconfigured Subnet Mask, Host B will be able to speak to Host D, due to the Router’s heroic use of Proxy ARP.

    That being said, it does impose additional work load on the Router. We used the specific example of Host D’s single IP address, but due to Host B’s misconfigured subnet mask there are roughly 65,000 IP addresses that Host B now considers on its local network. When in reality only about 250 could possibly exist on its local network.

    So while Proxy ARP enabled connectivity in this example, it unfortunately does not scale indefinitely and should not be relied upon. The long term solution is to correct the misconfigured Subnet mask on Host B.

    Moreover, this specific use case for Proxy ARP is based solely around enabling routing despite there being a misconfiguration. With Proxy ARP, Host B may never even realize it has an incorrect Subnet Mask.

    There is another school of thought that instead would prefer Host B’s misconfiguration to cause the communication to fail in order for Host B to be notified that something is wrong. Thereby creating an opportunity for Host B to fix the root problem.

    Many routers these days do not send Proxy ARPs by default for this very reason. Although most include a way to enable it if desired.

    That said, there is a very important and legitimate use case for Proxy ARP — one which does not stem from a misconfiguration. We’ll take a look at it after exploring the Packet Structure for Proxy ARP next.

    Proxy ARP Packet Structure

    The ARP Request looks identical to the traditional ARP Request we looked at in the last article. In fact, it is a traditional ARP request, as the initiator of the ARP Request does not know whether the response will come in via proxy.

    The Proxy ARP Response is slightly different, but has the same packet structure as the traditional ARP Response packet:

    proxy-arp-packet-structure

    Notice the response is sent Unicast, directly from the Router’s MAC address to Host B’s MAC address.

    The Opcode still contains the value 2, indicating an ARP response.

    The crux of the Proxy ARP is in the Sender MAC and Sender IP address fields.

    Notice, the Sender MAC address is the Router’s MAC address, but the Sender’s IP address is Host D’s IP address. The Router is providing its own MAC address as the owner for another hosts IP address, hence responding to the ARP on behalf of Host D.

    Finally, the Target MAC and Target IP address fields, as expected, contain the information correlating to Host B, which is the intended recipient of this ARP Response.

    You can download the packet capture of the Proxy ARP conversation above here. It can be studied using Wireshark.

    Proxy ARP in Network Address Translation

    Earlier we discussed Proxy ARP and its use case for routing for misconfigured hosts. Of course, that use case all but disappears if every host is configured properly.

    However, there is a very legitimate and necessary use case for Proxy ARP, and that has to do with Network Address Translation, or NAT.

    We will use this topology to describe it:

    arp-media-proxy-arp-nat-topology

    Our Firewall has the IP address 72.3.4.2 in the 72.3.4.0/24 network. Our Firewall is also configured with a Static NAT that translates the IP address 72.3.4.55 to 10.3.4.55. These IP addresses belong to Host Y, with the IP address 10.3.4.55. Host X is simply some host on the other side of the Internet, using the IP 66.7.8.9.

    If Host X sends a packet to Host Y, that packet will have a Source IP of 66.7.8.9 and a Destination IP of 72.3.4.55. Routing will take that packet across the internet until it finally arrives at Router C.

    Router C now needs to deliver a packet that is destined to a network it is directly attached to (72.3.4.0/24). Router C initiates an ARP Request to determine the MAC address which owns the IP address 72.3.4.55.

    But the device which owns that IP address is Host Y, which is not in the same network as Router C. So Host Y would be unable to respond to this query.

    The Firewall, however, having been configured to translate packets from 72.3.4.55 to 10.3.4.55, knows it must receive the packets destined to 72.3.4.55 so that it can translate them and deliver them to Host Y.

    Therefore, the Firewall will use Proxy ARP to respond to Router C’s ARP Request for the 72.3.4.55 IP address on behalf of Host Y.

    The entire process is illustrated in this animation:

    proxy-arp-nat

    If not for the Firewall participating in Proxy ARP, the Network Address Translation would fail, since packets sent from Router C would never arrive to the Firewall.

    Hence, for Network Address Translation to work properly, the translation device must use Proxy ARP to properly receive packets to be translated.

    As demonstrated, any NAT deployment will require the use of Proxy ARP to properly receive packets which must be translated.

    There are ways around requiring Proxy ARP on a NAT device, but they involves using Static Routes on the upstream Router to manually instruct the Router to send packets which must be translated to the Firewall’s interface. While viable, this solution does not scale.

    Series Navigation

    Traditional ARP >>Gratuitous ARP >>

    Tags:
    5 16 votes
    Article Rating
    Subscribe
    Notify of

    56 Comments
    Oldest
    Newest Most Voted
    Inline Feedbacks
    View all comments

    Thank you so much for sharing this! Excellent explanation! =)

    Well said,

    The nat section is a great info

    I have a question if you

    Will the firwall then check the nat table and if entry found . It will replay with proxy arp ?

    Hi,

    Thanks for such detail articles. Finding them very useful. I have a question in this particular topic. Do you have a seperate firewall device or the firewall on the Host Y?
    1. If Firewall on Host Y, then do we need the address translation, its as good Host Y owning the 72.x ip as well and any communication to 72.x IP will reach to it with direct routing and traditional arp.
    2. If Firewall is external to it, does it have a different IP? And along with responding its own IP its also proxy responding to Host Y IP? (means the .1 and .2 interfaces on firewall have different IPs but are transparent to outside world?

    Can you please elaborate. Thanks.

    Hi ed,

    Actually with static NAT on a CISCO router, the proxy ARP is not needed. As soon as the static NAT command is entered, the router create a static ARP entry with his own mac-address.
    For the (Inside Global) 72.3.4.55 10.3.4.55 (Inside local).

    I guess the behavior is the same with real FW.

    But thank you for the serie on ARP, i’ve learned some new things and other things are more clear now.

    i do not about Cisco ,but if it is sure, it is the same as this: create a sub/sec IP address,in this case 72.3.4.55/32(must different from the interface IP mask), then the interface will do the gratuitous ARP, so let the network know the arp info

    Thank you for sharing this very good explantion! Very helpfull infos!

    First, love the blog! Really helpful in starting my CCENT studying.

    1. Just to clarify, if host Y were to respond to host X, would the source IP be 10.3.4.55? Would the firewall then change the L3 header with NAT translation?

    your explanation is very clear and useful

    Thank you very much.

    Thanks A LOT for helping beginners like me… Quick and Clear way of explanation is where You stand high…

    Excellent explanation.. Thank you very much.

    Proxy Arp will not take place for the Private IP of Y but for the Interface IP of the FW which will be configured on the external interface

    Hey Ed,
    Thanks for the wonderful articles.
    They are really helpful i read types of Arp and its pretty sorted.
    going through Vlan sections now

    However i have few doubts.

    when the packet at C asks for an Mac address for host 72.3.4.55 — what is host 72.3.4.55 here.
    firewall? / some devices missing from the diagram?

    Because provider edge router C is asking for the mac address of the customer edge device(firewall doing Natting)
    then why do we need to enable proxy?

    wont the layer 3 header be changed at customer edge device (firewall in your case)

    confused ??? please assist ?

    ED,
    In the routing table of C,
    the next hop for the network 72.3.4.0/24 will be 72.23.4.2 or what?
    generally wont it arp for 72.3.4.2 to reach 172.3.4.0 network// or since its a 1-1 mapping
    it’ll arp 72.23.4.55 instead of 72.3.4.2 just because its static
    is that what you mean?

    Your articles are really helpful, because you do what most writers cannot achieve: You explain it in an understandable way.

    But one thing in this part of the series is funny: Do you really want to state, that Proxy ARP is intended as a means to prevent missconfigured computers from not working??

    😉

    Yes, and as afnaan says, there are doubts. When you state that “the device which owns that IP address [72.3.4.55] is Host Y” this is not correct in my opinion. IP address of Host Y is 10.3.4.55. In your example 72.3.4.55 is the second IP address of the firewalls interface (beside 72.3.4.2). There is no need to do Proxy ARP (but to do NAT).

    Thanks Ed, that makes sense.

    Hi I love your blog, it’s very informative:

    Just a question.

    Why Host Y has two IP addressess 72.3.4.55 and 10.3.4.55.

    Is the IP address 72.3.4.55 belongs to Host Y or belong to Firewall.

    Please Explain

    Thanks Ed for this wonderful article on Proxy Arp.

    Loved it…thanks much for sharing !! Cheers !!

    thanks so much this is so helpfull and easy learned

    Hi
    Thanks for the detailed explaination.
    I have a question say there is one more device Z with IP 10.3.4.56 and same public address 72.3.4.55 is configured as NAT for device Z. In this case when HOST X sends arp request with dest IP as 72.3.4.55 what will the returned mac address .. is it Host Y mac or Host Z mac???

    Regards,
    Rakshith.

    Hi and thanks for the explanation.
    One question though, I have a similiar situation in my network and I always disable proxy arp on interfaces, however NAT seems to bypass it. How come?

    Really lots of hard work done to make it simplest.
    In fact i am beginner, but still I could understand.

    Internal/External Routing Protocols would also work in place of a static route.

    Good Article

    Hi, is this a Cisco-specific setup?

    For my understanding, it makes no sense to do Proxy-ARP and DNAT at the same time?

    In one case, there are two public addresses on the 72.3.4.0/24 facing interface of the firewall (72.3.4.2 and 72.3.4.55). In this case I can make a simple DNAT pointing to 10.3.4.55.

    In the other case, the 72.3.4.55 is bound on Host-Y. In this case, Proxy-ARP on both Interfaces of the Firewall is required.

    But why do you suggest Proxy-ARP and DNAT at the same time? Is this Cisco-specific?

    Regards

    Is there a scenario where proxy arp would cause a firewall to respond for an external address where there is no NAT rule defined and create a potential IP conflict with other devices attached to router c?
    To use your NAT illustration; traffic from 66.7.8.0/24, destined for a server host at 72.3.4.54/24 and connected to router c (it appears you have only a single address nat-ed and it is .55, not other addresses in 72.3.4.0/24 like .54, thus leaving them open for use by hosts like this fictitious server on .54).

    Can you describe the conditions needed to cause this conflict situation, why this would be desirable behavior and how to work around it (perhaps intentionally create a nat for the 72.3.4.54/24 and set it to no-proxy-arp, thus removing this one address from arp response to router c and allowing the traffic to flow to the actual server host at 72.3.4.54/24?)?
    Thank you for the help.

    As BryanB’s colleague, to clarify, the scenario would be 2 firewalls attached to router C on the same 72.3.4.0/24 subnet with their own private networks behind them maintaining separate, non-conflicting IP’s and NAT tables. Would both firewalls respond to an ARP request if only one of them had a matching NAT table entry simply because they are on the same 72.3.4.0/24 subnet?

    If so, how could that be avoided? The end goal is to have multiple tenants using the same public subnet without interference.

    Thank you Ed, particularly for giving BOTH answers; the technical one that explained that there would not normally be a proxy-arp response for an address that has no NAT defined behind it (this helps us with flexibility in how we use our addresses going forward), and then the ideal answer to limit risk in a multitenant situation (this will help us create a plan to limit risk in the future… from a tenant misconfigured NAT as just one example).
    Much appreciated.

    Thank you. This is a lot. It would have taken me through many books and websites to figure out incompletely. You make it easy as always.

    I’m currently studying for Google and Amazon Security Engineering interviews. This tutorial series is straight gold, thank you.

    Hi Ed, first I want to congratulate you for your amazing articles, I’m impressed with the didactics, and I put practicalnetworking in my TOP1. I’m not an expert in Computer Networks and I just started marathoning your articles to learn about this amazing world of Computer network. I have a question and if you can answer me. I think I’m confusing the process of the AND technique of a Local Address and a Remote Address, but I’ll ask anyway. Does Host B know that the Remote IP Address has a /24 CIDR? I say this because if Host B knew that Host D’s IP Address is a /24 it would know that 10.0.4.44 is not in its local network using the AND technique that compares the mask with the IP Address to find out what it is network and what is host. In this case “Host B” does not know the CIDR of the Remote IP Address and does it believe that the address 10.0.4.44 is a Class A /8 or Class B /16 address? Is that why “host B” will consider that the IP address “10.0.4.44” to be in the range 10.0.0.0– 10.0.255.255 and therefore it is on its local network? The “Host B” would know with from CIDR using AND technique that Local IP Address 10.0.0.22/16 cannot communicate with Remote IP Address 10.0.4.44/24 even though if the range of IP Address 10.0.0.22/16 goes from 10.0.0.0 untill 10.0.255.255

    can we say local proxy arp works here because the ARP request is for another IP of the same subnet that is 72.3.4.55.
    

    thanks, bro, nice sharing, BTW, for some routers (such as Huawei) , I try to disable the prox arp(it is disabled by default), but it will still work for NAT, I use Wireshark to capture the package, I found the interface still do the Prox-arp resond.

    Hello, nice article. There is another situation where proxy ARP is sometimes used. It is by wireless access points. Under normal conditions, ARP requests are broadcast to all clients. A WiFi access point sends the broadcasts to all associated WiFi clients. This can potentially eat up a lot of “airtime” and reduce performance of the WiFi network. To avoid this, some WAPs enable proxy ARP on the ethernet interface. Since the WAP will always know all of the MAC addresses of the WiFi clients connected to it, it can intercept incoming ARP requests from the ethernet side for clients associated to it, and respond with proper response for the WiFi client. Not all WAPs support this, and those that do may need it to be enabled manually in the configuration. Just FYI. Thanks.

    i have read the Article ,but a bit confused as the address of host Y should be 10.3.4.55 as per diagram,but in the article it is mentioned ,that IP addrss of host Y is 72.3.4.55.
    can any one clarify more.