Proxy ARP is a technique by which a device on a given network answers the ARP queries for a network address that is not on that network, that is to make the hosts on one network appear to be logically part of a different physical network.
The bridge host will proxy ARP requests from the inside network to the outside, and respond to ARPs from the outside network on behalf of inside hosts. Linux will only do this for hosts that are known via the routing table, so a /32 host route must be created pointing to the inside host (one for each inside host). The route is also required for IP forwarding to work, i.e. when IP traffic arrives after the ARP process has completed.
As an example, to manually configure and test this out where the primary LAN has a network address of 10.42.0.0/24:
1.configure an inside client with a static IP of 10.42.0.11/24
2.on the bridge
bridge# echo 1 > /proc/sys/net/ipv4/conf/all/proxy_arp
bridge# echo 1 > /proc/sys/net/ipv4/ip_forward
bridge# ip ro add 10.42.0.11/32 dev eth0
3.ping from the inside host to an outside host, and examine the ARP table:
insidehost$ ping -c 1 10.42.0.2
PING 10.42.0.2 (10.42.0.2) 56(84) bytes of data.
64 bytes from 10.42.0.2: icmp_req=1 ttl=64 time=14.7 ms
insidehost$ arp -n 10.42.0.2
Address HWtype HWaddress Flags Mask Iface
10.42.0.2 ether b8:27:eb:6b:52:b9 C eth0
# b8:27:eb:6b:52:b9 is the MAC of eth0 - the inside interface - on the bridge
bridge$ arp -n 10.42.0.2
Address HWtype HWaddress Flags Mask Iface
10.42.0.2 ether 00:08:9b:be:f8:a2 C wlan0
# 00:08:9b:be:f8:a2 is the MAC of eth0 on the outside host
bridge$ arp -n 10.42.0.11
Address HWtype HWaddress Flags Mask Iface
10.42.0.11 ether 00:1b:a9:be:16:73 C eth0
10.42.0.11 (incomplete) wlan0
# 00:1b:a9:be:16:73 is the MAC of the inside host; the outside wlan0 entry if present should always be incomplete
outsidehost$ # arp -n 10.84.42.11
Address HWtype HWaddress Flags Mask Iface
10.84.42.11 ether 00:e0:4c:10:3c:75 C eth0
# 00:e0:4c:10:3c:75 is the MAC of wlan0 on the bridge
Note that no IP address is required on the bridge’s inside ethernet interface for proxy ARP to work (though see below re. DHCP relay).
If you run tcpdump on the bridge’s ethernet and wlan interfaces, you’ll see the ARP request from the inside host being proxied to the outside interface, with the ARP source being the bridge’s outside-facing interface’s MAC address. The ARP table on the inside hosts will show the bridge’s inside interface MAC for all outside hosts, and similarly for outside hosts the MAC for all inside hosts will be the bridge’s outside interface MAC.