🕺Understanding Proxy ARP | How Firewalls Use It to Respond to Multiple IPs⁉️

What is Proxy ARP?

Proxy ARP (Address Resolution Protocol) is a technique where a device—typically a firewall, router, or Layer 3 switch—responds to ARP requests on behalf of another device. This allows multiple IP addresses to appear as if they exist on the same subnet, even when they are actually routed elsewhere.

It’s commonly used to:
✔ Extend subnets beyond their physical boundaries
✔ Allow a firewall to handle multiple IP addresses on a single interface
✔ Enable network segmentation without requiring additional router interfaces

How Does ARP Normally Work?

In a standard ARP request-response process:
1️⃣ A device (Host A) wants to send a packet to another device (Host B).
2️⃣ Host A broadcasts an ARP request: "Who has IP 192.168.1.10? Tell me your MAC address!"
3️⃣ If Host B owns 192.168.1.10, it replies with its MAC address.
4️⃣ Host A then sends traffic directly to Host B’s MAC.

How Proxy ARP Changes the Game

With Proxy ARP enabled on a firewall (or router):
1️⃣ Host A sends an ARP request for 192.168.1.10.
2️⃣ The firewall (which has Proxy ARP enabled) sees the request and responds on behalf of 192.168.1.10, using its own MAC address.
3️⃣ Host A now sends all traffic for 192.168.1.10 to the firewall, which forwards the packets to the correct destination.

This makes it seem like all these IPs exist on the firewall’s subnet—even if they don’t.

---

How Firewalls Use Proxy ARP for Multiple IPs on One Interface

Firewalls often use Proxy ARP to host multiple IP addresses on a single network interface. This is useful for:
✅ Public IP allocation: ISPs often assign multiple public IPs to a business, but they only provide a single physical connection. A firewall with Proxy ARP can respond to ARP requests for all those public IPs.
✅ One-to-one NAT: Firewalls can map external IPs to internal servers while making the external IPs appear locally reachable.
✅ Load balancing & failover: A firewall can respond to multiple IPs and distribute traffic between different backend servers.

Example: Firewall with Multiple Public IPs

Imagine an ISP assigns a business a block of public IPs (196.10.10.1–196.10.10.5) but only provides a single physical connection to the firewall.

🛜 Without Proxy ARP:

• Only the firewall’s primary IP (e.g., 196.10.10.1) would be accessible.

• The remaining IPs would need additional interfaces or static routes.

🛜 With Proxy ARP:

• The firewall can respond to ARP requests for 196.10.10.2–196.10.10.5, even though they don’t exist on a separate interface.

• It then performs NAT or routing to forward traffic accordingly.

---

Is Proxy ARP a Security Risk?

Only in a LAN – Not on Firewalls or SD-WAN Devices

⚠️ Security concerns arise when Proxy ARP is used in a LAN.

• In a local network, an attacker can use ARP spoofing (a Man-in-the-Middle (MITM) attack) to trick devices into sending traffic to the wrong destination.

• This can allow eavesdropping, traffic interception, or redirection to a malicious host.

🔒 On public-facing firewalls, SD-WAN devices, or edge routers, Proxy ARP is NOT a risk.

• The firewall is the legitimate owner of the public IPs and is expected to respond on behalf of them.

• There are no untrusted users inside the network who can manipulate ARP tables.

• Firewalls only respond to the correct requests, preventing spoofing attacks.

In fact, Proxy ARP is crucial for public IP address management, allowing firewalls and SD-WAN devices to efficiently handle multiple addresses on a single WAN link.

---

Why Fusion’s SD-WAN Uses Proxy ARP Correctly

🚀 Fusion's SD-WAN optimises multiple connections while correctly implementing Proxy ARP for public IPs. Unlike traditional firewall-based SD-WAN solutions that struggle with NAT complexities, Fusion’s SD-WAN:
✅ Ensures proper public IP mapping without breaking sessions
✅ Handles multi-WAN failover seamlessly without reconfiguration
✅ Avoids common NAT headaches seen in Mikrotik, pfSense, and other budget firewalls

🔑 Bottom line: If you’re dealing with public IPs, Proxy ARP is a necessity—not a risk. The real danger lies in cheap firewalls that mishandle ARP and NAT. For a secure, resilient, and intelligent solution, Fusion’s SD-WAN is the right choice.