Proxy ARP

[Jan Danielsson <jan.m.danielsson%gmail.com@localhost>]

Hello,

   Let's say I have a data diode separating two networks -- because the 
data diode is unidirectional normal (dynamic) ARP won't work. 
Workaround is to use static ARP tables, but in this hypothetical let's 
also say that there are multiple sources and multiple destinations and 
adding ARP tables manually on each system is a pain.

   The solution is to tell a host (probably a subnet gateway) to fake 
it and reply to all ARP requests relating to the destination addresses.

   arp(8) seems to support this using the "pub" keyword.  But what does 
the "proxy" keyword do?

   ``[---] If the word pub is given, the entry will be "published"; 
i.e., this system will act as an ARP server, responding to requests for 
hostname even though the host address is not its own.  If the word proxy 
is also given, the published entry will be a ``proxy only'' entry.''

   What does "proxy only" mean here?

   (I skimmed through the "Proxy ARP" thread from early 2016 by 
ozaki-r@, but I'm not sure I found a reply that I understand).


   Also, does ARP in any way associate the port/interface it receives a 
reply on with the port/interface it expects to reach the host on?

   Specifically: Say I have server S with an network interface wm0 
which is connected to a regular LAN (192.168.0.y/24), on a separate host 
on this LAN there's a Proxy ARP configured.  wm1 is connected to the 
"secret" network (10.0.0.x/24) through a data diode.  The system can not 
receive ARP replies through the data diode link, so it must rely on the 
Proxy ARP, and for this hypothetical it is reachable on wm0.

   Will S (running NetBSD) send the "who/where is 10.0.0.X?" ARP 
request on wm0 or will it subnet mask match and only send it on wm1?

   Assuming ARP's are sent on non-matching interfaces, if the Proxy ARP 
has a hard-coded entry for 10.0.0.Y, which S will receive through wm0, 
will it understand that "yes, you received this on wm0, but the address 
is within wm1, so use that port/interface instead"?

   My assumption is that there needs to be a Proxy ARP *before* the 
data diode on wm1 (i.e. it can't use wm0 for this), but it would be neat 
if that isn't the case.

--
Kind regards,
Jan Danielsson