When should I use proxy-arp?

When should I use proxy-arp?
Prev	PROXY-ARP HOWTO	Next

Proxy-ARP is generally used in much the same situations as Static NAT, but can be preferrable when NAT'ing of a service may cause problems or when the service itself MUST know/work from the public ip address. For the uninitiated, Static NAT (or SNAT) is a one-to-one mapping of a real internet-known ip address to a masqueraded private-class ip address as used by the actual server itself. Masquerading of ip addresses this way does not always work well with many applications or services. Proxy-ARP allows the use of the actual internet-known ip address on the protected side of the router, so masqerading is not used and all applications should work as expected. For services such as web, mail, and DNS on a topology that will use 3 or less DMZ (server) addresses, I would suggest using SNAT instead of Proxy-ARP since the filtering setup is generally less confusing. Users with a full subnet of ip addresses to run more servers and/or running services such as active-ftp, game-servers, or other non-standard services may find Proxy-ARP to be much easier to setup and run instead. An preferred system to use SNAT on would be a 2 or 3 ip address connection offered by many ISP's.

The largest apparent difference between 'true' bridging and proxy-arp is that bridging forwards all broadcast traffic across all interfaces. This cannot be done by any routing function, such as proxy-arp, and seperate broadcast domain is created for each interface. Any work-arounds that work with general routing for broadcast traffic will also work with proxy-arp such as adding WINS servers, dhrelay, or sometimes simply adding the ip address of the necessary server in the application configuration rather than relying on broadcast resolution.

A common use for proxy-arp is to avoid creating a seperate subnet with the required routing changes for use between different interfaces (both interfaces will work on a single subnet). On larger networks you may regularly need to split the ip addresses up into smaller subnets which commonly leads to 'lost' addresses due to the creation of these smaller subnets with each subnet using ip addresses for network and broadcast requirements. Use of proxy-arp can avoid the need to create these smaller subnets and conserve the available ip addresses in the process. My last reason is that it is simply easy to setup and can be used in most network topologies (WAN-LAN, LAN-LAN, WAN-DMZ, etc...).