diff --git a/hosts/router/configuration.nix b/hosts/router/configuration.nix
index 0b514e4..c70f2c7 100644
--- a/hosts/router/configuration.nix
+++ b/hosts/router/configuration.nix
@@ -5,6 +5,8 @@
     [
       ./hardware-configuration.nix
 
+      ./nat.nix
+
       ./10-net-services.nix
       ./42-net-management.nix
       ./101-net-uplink-a.nix
diff --git a/hosts/router/nat.nix b/hosts/router/nat.nix
new file mode 100644
index 0000000..666b804
--- /dev/null
+++ b/hosts/router/nat.nix
@@ -0,0 +1,22 @@
+{ config, pkgs, ... }:
+
+{
+  networking.firewall.extraCommands = ''
+    # NAT for uplink
+    ip46tables -w -t nat -N nat-post
+
+    iptables -w -t nat -A nat-post -s '10.42.0.0/16' -o ppp-uplink-a -j MASQUERADE
+    iptables -w -t nat -A nat-post -s '10.42.0.0/16' -o ppp-uplink-b -j MASQUERADE
+
+    ip6tables -w -t nat -A nat-post -s 'fd00:10:42::/48' -o ppp-uplink-a -j MASQUERADE
+    ip6tables -w -t nat -A nat-post -s 'fd00:10:42::/48' -o ppp-uplink-b -j MASQUERADE
+
+    ip46tables -w -t nat -A POSTROUTING -j nat-post
+  '';
+  networking.firewall.extraStopCommands = ''
+    # NAT for uplink
+    ip46tables -w -t nat -D POSTROUTING -j nat-post 2>/dev/null || true
+    ip46tables -w -t nat -F nat-post 2>/dev/null || true
+    ip46tables -w -t nat -X nat-post 2>/dev/null || true
+  '';
+}