Scenario 2a: SNAT—Packets passing through the vRouter
Firewall rules are applied before DNAT. This sequence means that firewall decisions based on source address are made on the translated source address—not the original source address. This order of evaluation is true for both inbound and outbound packets; refer to the following figure.