Users most often break networking by treating public IP subnets as if they behave like the local area networks in their homes or near-production environments.
This usually shows up as bridged interfaces, virtual machines assigned public IPs directly, or expectations that ARP will “just work.” When things fail, the blame tends to fall on the firewall, the hypervisor, or the ISP.
The real issue is simpler:
the mental model is wrong.
1. The incorrect mental model
The typical belief sounds like this:
“I have a /29 or /24 from my ISP. If I connect that subnet to my hypervisor, my VMs can just use those public IPs directly.”
This assumes public address space behaves like a private broadcast domain — similar to plugging one switch into another. From that perspective, ARP should resolve, neighbors should reply, and traffic should flow normally.
That assumption is incorrect.
2. What actually happens on the wire
Public IP subnets are not shared Ethernet segments. They are routed address space, owned and controlled by the upstream router.
When traffic is destined for one of your public IPs, the upstream router does not broadcast ARP requests through your hypervisor or internal switch. Instead, it consults its routing table and forwards the packet to a single next hop — the device it believes owns that address.
If you bridge public IPs internally and expect ARP to resolve between multiple hosts, it will fail. The upstream router never sees those ARP requests and will never respond to them. No firewall rule or hypervisor configuration can change this behavior.
From the upstream router’s point of view, anything beyond the next hop does not exist.
3. Public subnets are routed, not switched
A useful rule to remember:
Public IP space is delivered to you as a route, not as a layer-2 network.
That means:
- You do not get a broadcast domain
- You do not get neighbor discovery across hosts
- Packets are forwarded strictly to a next hop
That next hop is usually your router or firewall — not individual VMs. Bridging public IPs internally creates a false sense of connectivity that may appear to work in trivial cases, but collapses under real traffic.
When people say “my ISP gave me a subnet,” what actually happened is that the ISP routed that subnet to one device.
4. Models that actually work
Only a few models behave correctly and predictably:
- Routed subnet to a firewall/router, with all public IPs terminating there
- 1:1 NAT, where the router owns the public IP and maps it explicitly
- Policy routing / loopback ownership, where the router is the ARP endpoint
All of these share the same property:
One device owns the public IP at layer-2. Everything else lives downstream at layer-3.
Once you understand this, packet flow becomes obvious, debugging becomes simpler, and the system stops feeling unpredictable.
5. The rule of thumb
If you don’t control the upstream router, you don’t control ARP.
Public IPs should be routed to you — not bridged through you.
Top comments (0)