We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda NextGen Firewall F
Barracuda NextGen Firewall F

This Firmware Version Is End-Of-Support

Documentation for this product is no longer updated. Please see https://www.barracuda.com/support/knowledgebase/50160000000IQxo for further information on our EoS policy.

How to Create Proxy ARP Objects

  • Last updated on

With Proxy ARP objects, you can configure the Barracuda NG Firewall to answer ARP requests on behalf of a requested interface, accept packets, and correctly forward packets. Proxy ARPs are like additional IP addresses that the firewall responds to when it receives an ARP request. Use Proxy ARP addresses for redirecting and mapping in firewall rulesets, if they are in the same address space as the source of a connection request. You can also use Proxy ARP objects for bridging.

Do not create Proxy ARPs in address spaces where the firewall IP address is configured as the gateway IP address.

You can create a Proxy ARP object as a standalone object or with a connection object. However, the Proxy ARP object is then dependent on the connection object; if the connection object is deleted, the Proxy ARP object is also deleted.

Configure a Proxy ARP Object

You can define up to 256 Proxy ARP entries on the Barracuda NG Firewall. This limitation exists for the numbers of entries, not for the number of IP addresses.

  1. Log into the Barracuda NG Firewall.
  2. Click the Status tab.
  3. In the Services table, click Configuration.
  4. On the Simple Config page, click Ruleset in the Operational Configuration table.
  5. From the Configuration menu in the left navigation pane, select Proxy ARPs.
  6. To create a Proxy ARP object, right-click the table and select New.
  7. To edit a Proxy ARP object, double-click it.
  8. In the Edit/Create a Proxy ARP Object window, specify the settings for the Proxy ARP object.  

    Example - Edit/Create a Proxy ARP Object window:

    Image not found

    You can specify the following settings:

    Setting Description

    Network Address

    You can enter a single IP address or a complete network.


    Description of the Proxy ARP object.


     To let the Proxy ARP object exist without a referring object (such as a connection object), select this check box. Otherwise, the Proxy ARP object is deleted if the referring object is deleted. The Standalone setting is enabled by default.

    Primary Network Interface

    Interface that is used when responding to an ARP request. You can either enter a specific network interface (for example, eth1), or select one of the following options:

    • match (default) - ARP requests are answered via the interface that hosts the network.
    • any - ARP requests are answered via any interface.

    Additional Interfaces

    Additional interfaces that are used when responding to ARP requests. Make sure that you only enter interfaces that do not conflict with the primary network interface. You can enter a space-delimited list of interfaces.

    Exclude Networks

    Network addresses that should be excluded from a complete network that is entered in the Network Address field. You can enter a space-delimited list of addresses.

    Source Address Restriction

    Network addresses that must be used as the source IP address when responding to ARP requests. You can enter a space-delimited list of addresses.

    Introduce Route on Interface

    For bridging setups only. Read-only field that displays the bridging interface route (see: link).

    Send Unsolicited ARP

    To configure the firewall to also propagate specified IP addresses through ARPs, select this check box. The Send Unsolicited ARP setting is enabled by default.

    Unsolicited ARPs can only be sent if the corresponding network interface has an active IP address. The status of the IP address is only verified when the forwarding firewall starts up, such as during an HA takeover or when the firewall ruleset changes. The status of the IP address is not verified if the network interface changes into state "up" or if a pending route becomes active, such as when a server IP address is introduced. In this case, only the Proxy ARP is introduced to answer incoming ARP requests.

  9. Click OK.
  10. Click Send Changes and then click Activate. 

Create a Proxy ARP Object with a Connection Object

To create a Proxy ARP object with in the configuration of a connection object, select the Create Proxy ARP check box. For more information on creating on a connection object, see link.

If the Proxy ARP object must exist independently of the connection object, select the Standalone check box in the Proxy ARP configuration window. With the Standalone setting enabled, the Proxy ARP object remains functional even when the referenced connection object is deleted. For more information, read the above section.

Last updated on