Traffic flow through firewall, NAT, and routing
For example, if you are using DNAT, you should take care not to set up the system to route packets based on particular external addresses. This routing method would not have the expected result because the addresses of external packets would have all been changed to internal addresses by DNAT before routing.
The following figure shows the traffic flow between NAT, routing, and firewall within the vRouter.