diff --git a/roles/firewall/templates/nftables.nft.j2 b/roles/firewall/templates/nftables.nft.j2
index ab1eab5..8535b70 100644
--- a/roles/firewall/templates/nftables.nft.j2
+++ b/roles/firewall/templates/nftables.nft.j2
@@ -108,12 +108,25 @@ table ip nat {
     map netmap-in { type ipv4_addr : interval ipv4_addr; flags interval; }
     map netmap-out { type ipv4_addr : interval ipv4_addr; flags interval; }
 
+    map nat {
+        type ipv4_addr : interval ipv4_addr; flags interval
+        elements = {
+{% for prefix in vrf_prefixes | selectattr('family.value', '==', 4) | selectattr('custom_fields.nat') %}
+            {{ prefix.prefix }} : {{ prefix.custom_fields.nat.address | ipmath(0) }}
+            {{- '' if loop.last else ',' }} # {{ prefix.vlan.name }}
+{% endfor %}
+        }
+    }
+
     chain postrouting {
         type nat hook postrouting priority srcnat
 
         iif @inside oif @outside snat ip prefix to ip saddr map @netmap-out \
         comment "Static source NAT for 1:1 mapped addresses"
 
+        iif @inside oif @outside snat to ip saddr map @nat \
+        comment "Dynamic NAT for private IPv4 networks"
+
         include "/etc/nftables.d/nat.nft*"
     }