Proxy ARP

Host A is configured with the IP address 10.0.0.11 and a subnet mask of 255.255.255.0 (or /24 in CIDR). Host A will consider any IP address in the range of 10.0.0.0 – 10.0.0.255 on its local network.


Host B is configured with the IP address 10.0.0.22 and misconfigured with a subnet mask of 255.255.0.0 (or /16 in CIDR). Host B will consider any IP address in the range of 10.0.0.0 – 10.0.255.255 on its local network.

Presume both of these hosts are trying to speak to Host D, which exists on a different network and has the IP address 10.0.4.44.

When Host A tries to speak to 10.0.4.44, it would (correctly) consider Host D on a different network and would use traditional ARP to send the packet to the default gateway.

However, when Host B tries to speak to 10.0.4.44, it would (incorrectly) consider Host D on the same network and would instead try to ARP for Host D’s MAC address directly.

Host B’s ARP Request will be broadcast to the local network, but will never make it across the Router to Host D. Therefore, the ARP Request will go unanswered, and Host B will be unable to communicate with Host D.







Unless the Router itself responds to Host B’s ARP Request on behalf of Host D – which is the exact definition of a Proxy ARP.


So despite the misconfigured Subnet Mask, Host B will be able to speak to Host D, due to the Router’s heroic use of Proxy ARP.

Proxy ARP in Network Address Translation

If Host X sends a packet to Host Y, that packet will have a Source IP of 66.7.8.9 and a Destination IP of 72.3.4.55. Routing will take that packet across the internet until it finally arrives at Router C.

Router C now needs to deliver a packet that is destined to a network it is directly attached to (72.3.4.0/24). Router C initiates an ARP Request to determine the MAC address which owns the IP address 72.3.4.55.

But the device which owns that IP address is Host Y, which is not in the same network as Router C. So Host Y would be unable to respond to this query.

The Firewall, however, having been configured to translate packets from 72.3.4.55 to 10.3.4.55, knows it must receive the packets destined to 72.3.4.55 so that it can translate them and deliver them to Host Y.

Therefore, the Firewall will use Proxy ARP to respond to Router C’s ARP Request for the 72.3.4.55 IP address on behalf of Host Y.

If not for the Firewall participating in Proxy ARP, the Network Address Translation would fail, since packets sent from Router C would never arrive to the Firewall.