Do there perhaps already exist a command in VyOS to solve the below usecase?
Usecase:
eth0: WAN-interface.
eth1: LAN-interace.
eth0 is configured with 192.168.0.1/24.
eth0 is using default gateway 192.168.0.254.
You will SNAT a particular outgoing traffic at eth0 to 192.168.0.2 (basically do a 1:1 NAT since you will also SNAT another LAN-host to 192.168.0.3).
If you enable proxy-arp or local-proxy-arp on eth0 your VyOS box will then send arp replies for all IP-addreses of 192.168.0.0/24.
This is bad because in this usecase there are other devices available on the 192.168.0.0/24 network except for your VyOS and the gateway it uses. The other devices will be interrupted when this VyOS box is sending arp-replies in their name. Other boxes will detect this as IP-collissions and/or ARP-spoofing attack.
Solution:
You want to limit VyOS to proxy-arp only for 192.168.0.2 and 192.168.0.3 for arp-requests arriving at eth0.
Manually this could be achieved through following command, prefered if similar could be done through vyos-config:
/sbin/arp -i eth0 -Ds 192.168.0.2 eth0 pub /sbin/arp -i eth0 -Ds 192.168.0.3 eth0 pub
Would be prefered if the vyos-config syntax would involve not only physical interfaces but also vlan interfaces (vif) and tunnel interfaces.
Ref:
https://tldp.org/HOWTO/Proxy-ARP-Subnet/setup.html
https://manpages.debian.org/bookworm/net-tools/arp.8.en.html
Edit:
The above usecase describes proxy-arp (for IPv4) but the same need exists for proxy-ndp (for IPv6) even if NAT is less common in IPv6 world (but there can be other reasons for why a "virtual" IPv6 should be directed to the VyOS box using proxy-ndp).