The Address Resolution Protocol (ARP) is predominantly used to resolve IPv4 IP addresses to the corresponding MAC addresses. ARP sends a broadcast request including the IP address to all hosts in the same subnet. The host with the requested IP address then replies with the MAC address of the interface that the IP address is bound to.
To connect two physically separated networks, a host (the CloudGen Firewall) must be configured as a proxy ARP to answer ARP requests for hosts in the other subnet which cannot be reached by the ARP broadcast. The firewall then answers ARP requests on behalf of the remote host and also accepts packets, taking over responsibility for forwarding all traffic to the actual destination. This is called transparent subnetting, as the client computer can connect to the remote host without knowing that the firewall is forwarding its request in between.
The proxy ARP configuration is done via proxy ARP objects. Proxy ARPs can thus be regarded as additional IP addresses that the firewall responds to when it receives an ARP request. Proxy ARP addresses can be used for redirecting and mapping in firewall rule sets if they are in the same address space as the source of a connection request. Additionally, Proxy ARP objects are used in bridging setups.
Proxy ARP Types
You can create either a standalone or dynamically generated proxy ARP object.
- Dynamically generated – These proxy ARPs exist as long as the objects that they have been created for are used, and they are deleted when the objects referring to them are deleted. To create proxy ARPs, select the Proxy ARP/Create Proxy ARP check box next to a specific configuration parameter’s properties in other configuration areas (rule configuration window, connection object dialog).
- Standalone – If you want to use a proxy ARP object that is not connected to a referring object, create it as a standalone. As standalone, proxy ARP objects cannot be accidentally deleted if the referring object is deleted.
Recommendations and Limitations
- You can define up to 256 proxy ARP entries on a CloudGen Firewall. Only the number of entries is limited; the number of IP addresses is not limited.
Do not create proxy ARPs in the subnet where the firewall IP address is configured as the gateway IP address, because traffic for other networks is sent to the gateway. The following provides examples of a subnet where proxy ARP can be used and a subnet where Proxy ARP cannot be used.
Localnet Firewall IP Default Gateway IP Redirected IP Create Proxy ARP 10.0.0.0/24 10.0.0.100 none 10.0.0.10 yes 10.0.0.0/24 10.0.0.100 10.0.0.100 10.0.1.10 no
Create a Proxy ARP Object
For more information, see: How to Create Proxy ARP Objects.