vyos · natali-rs1985 · Nov 28, 2025 · Dec 12, 2025
diff --git a/docs/vpp/configuration/nat/nat44.rst b/docs/vpp/configuration/nat/nat44.rst
@@ -10,10 +10,10 @@

 NAT44 has two main use cases:

 * **Source NAT (SNAT)**: Enabling Internet access for hosts in private networks using dynamic or static address translation
 * **Destination NAT (DNAT)**: Providing external access to internal services through static port forwarding rules

 VyOS supports both dynamic translation using address pools and static mappings for predictable address translation requirements.

 Configuration of NAT44 involves few steps:

@@ -23,15 +23,39 @@
 Dynamic and Static Operations
 =============================

 NAT44 configuration can be done in one of two ways or in both ways simultaneously:

 1. Dynamically performing NAT using a pool of public IP addresses.
 2. Statically mapping private IP addresses to public IP addresses.

 To configure dynamic NAT, you need to define a pool of public IP addresses that will be used for translation. This offers an easy way to provide Internet access to internal users.
 
 Static rules are more suitable for scenarios where you need to provide consistent and predictable mappings between private and public IP addresses, also they are the only way to configure DNAT.
 
+NAT Rule Processing and Traffic Flow
+------------------------------------
+
+This section explains how different combinations of NAT rules affect traffic handling on a router. There are three possible combinations of NAT rules configurations:
+
+1. **Dynamic NAT Only**
+
+   * **All** traffic received on the "in" interface is processed by dynamic NAT rules without exceptions.
+
+2. **Dynamic + Static NAT**
+
+   * **All** traffic received on the "in" interface is first matched against static NAT rules.
+   * If no match is found, it is then processed by dynamic NAT rules.
+
+3. **Static NAT Only**
+
+   * **All** traffic on the "in" interface is checked against static NAT rules.
+   * If no match is found, the traffic is routed **without NAT**.
+
+.. important::
+
+   * If **dynamic NAT rules** are present, **all** traffic received on "in" interfaces is subject to NAT processing.
+   * If **only static NAT rules** are configured, traffic that does not match any static rule is routed unchanged.
+
 Interfaces Configuration
 ========================
 
@@ -554,24 +578,6 @@
    # Increase session limit for high-capacity deployment
    set vpp settings nat44 session-limit 100000
 
-Forwarding Behavior
--------------------
-
-By default, VyOS NAT44 forwards packets that don't match any NAT rules according to the routing table. This behavior can be controlled:
-
-.. cfgcmd:: set vpp settings nat44 no-forwarding
-
-   Disable forwarding of packets that don't match existing NAT translations. When enabled, only packets that match static or dynamic NAT rules will be processed; all other traffic will be dropped.
-
-.. important::
-
-   This is a significant difference from traditional NAT solutions. By default, VyOS NAT44 allows non-NAT traffic to be forwarded normally. Using ``no-forwarding`` creates a pure NAT-only device that drops any traffic not covered by NAT rules.
-
-**Use cases for no-forwarding:**
-
-* **Pure NAT gateway**: When the router should only handle NAT traffic and drop everything else
-* **Security isolation**: Preventing any non-NAT traffic from traversing the device
-
 Worker Assignment
 -----------------