vyos · natali-rs1985 · Nov 28, 2025
diff --git a/docs/vpp/configuration/nat/nat44.rst b/docs/vpp/configuration/nat/nat44.rst
@@ -10,10 +10,10 @@

 NAT44 has two main use cases:

 * **Source NAT (SNAT)**: Enabling Internet access for hosts in private networks using dynamic or static address translation
 * **Destination NAT (DNAT)**: Providing external access to internal services through static port forwarding rules

 VyOS supports both dynamic translation using address pools and static mappings for predictable address translation requirements.

 Configuration of NAT44 involves few steps:

@@ -23,35 +23,35 @@
 Dynamic and Static Operations
 =============================

 NAT44 configuration can be done in one of two ways or in both ways simultaneously:

 1. Dynamically performing NAT using a pool of public IP addresses.
 2. Statically mapping private IP addresses to public IP addresses.

 To configure dynamic NAT, you need to define a pool of public IP addresses that will be used for translation. This offers an easy way to provide Internet access to internal users.

 Static rules are more suitable for scenarios where you need to provide consistent and predictable mappings between private and public IP addresses, also they are the only way to configure DNAT.

 Interfaces Configuration
 ========================

 The first step in configuring NAT44 is defining which interfaces handle inside (private) and outside (public) traffic. VyOS uses these interface designations to determine the direction of translation.

 Inside Interfaces
 -----------------

 Inside interfaces connect to private networks where hosts need source NAT to access external networks.

 .. cfgcmd::

   set vpp nat44 interface inside <inside-interface>

 Traffic flowing **from** inside interfaces gets source NAT applied, translating private source addresses to public addresses from the translation pool.

 Outside Interfaces
 ------------------

 Outside interfaces connect to public networks where external hosts may need to access internal services.

 .. cfgcmd::

@@ -554,23 +554,22 @@
    # Increase session limit for high-capacity deployment
    set vpp settings nat44 session-limit 100000
 
-Forwarding Behavior
+Processing Mode
 -------------------
 
-By default, VyOS NAT44 forwards packets that don't match any NAT rules according to the routing table. This behavior can be controlled:
+NAT44 processing behavior can be controlled using the processing-mode option. Choose how NAT44 treats packets that do not match any NAT rule:
 
-.. cfgcmd:: set vpp settings nat44 no-forwarding
+.. cfgcmd:: set vpp settings nat44 processing-mode <mode>
 
-   Disable forwarding of packets that don't match existing NAT translations. When enabled, only packets that match static or dynamic NAT rules will be processed; all other traffic will be dropped.
+The available processing modes are:
 
-.. important::
-
-   This is a significant difference from traditional NAT solutions. By default, VyOS NAT44 allows non-NAT traffic to be forwarded normally. Using ``no-forwarding`` creates a pure NAT-only device that drops any traffic not covered by NAT rules.
+- ``static-dynamic``: Process traffic by both static rules and dynamic NAT (default)
+- ``static-bypass``: Process traffic by static NAT rules only, pass without NAT if not matched
 
-**Use cases for no-forwarding:**
+**Use cases:**
 
-* **Pure NAT gateway**: When the router should only handle NAT traffic and drop everything else
-* **Security isolation**: Preventing any non-NAT traffic from traversing the device
+* **static-dynamic**: Use when you want dynamic translations created for unmatched inbound traffic so most flows get NATed
+* **static-bypass**: Use when NAT should apply only to explicitly configured static mappings and all other traffic must continue to be routed normally
 
 Worker Assignment
 -----------------