Proxy ARP?

["Adam Thompson, MCNE, MCSE" <athompso@commerced.com>]

I've noticed that
 a) I can manually add static arp entries, which the kernel will then do
proxy ARP for; and
 b) I can build ports/net/arpcatch, which appears to be a userland tool
that does exactly the same thing

What I haven't been able to find yet is a means of forcing my box to do
proxy arp globally.  (Something just occurred to me - I could bridge
instead, but that's not quite the same thing...)

Reason:  I (very) badly underestimated the growth of two groups of IP
addresses, and I subnetted a class-C a bit too deeply.  I now have
subnets that are full, with production machines (including DNS servers)
that I can't just renumber without a LOT of headaches.

I have one router (OpenBSD) with multiple arms right now.  I'm not even
using all of the subnets, so I have plenty of address space left over. 
ONE of those segments must be strongly protected, ONE of those segments
must be partially protected, and the rest must be wide-open (no
filters).  

I had hoped to be able to start allocating IP addresses from other
subnets (I've got everything set up as /27 subnets) and deliberately
using a /24 subnet mask - and letting the router sort things out.

I still want it to apply filtering on physical interfaces, but I want to
be able to allocate IPs without regard to my original subnetting plan
(which is now shot to hell).

As I'm writing this, I realize that bridging is one way to accomplish it
- can anyone explain what would work differently between bridging and
proxy-arping everything?  I know the semantics of how they work are
different, but would I see any difference in real life?

Thanks

-Adam

--
Adam Thompson, MCNE, MCSE, CWT, A+
Vice-President / Chief Technology Officer, Commerce Design Inc.
<athompso@commerced.com>
tel: (204) 942-1648, fax: (204) 989-8080, cell: (204) 782-6198