diff --git libexec/rc/rc.firewall libexec/rc/rc.firewall
index 8389d76..140e2e5 100644
--- libexec/rc/rc.firewall
+++ libexec/rc/rc.firewall
@@ -331,6 +331,20 @@ case ${firewall_type} in
 		fi
 		;;
 	esac
+	case ${firewall_nat_enable} in
+	[Yy][Ee][Ss])
+		if [ -n "${firewall_nat_interface}" ]; then
+			if echo "${firewall_nat_interface}" | \
+				grep -q -E '^[0-9]+(\.[0-9]+){0,3}$'; then
+				firewall_nat_flags="ip ${firewall_nat_interface} ${firewall_nat_flags}"
+			else
+				firewall_nat_flags="if ${firewall_nat_interface} ${firewall_nat_flags}"
+			fi
+			${fwcmd} nat 123 config log ${firewall_nat_flags}
+			${fwcmd} add nat 123 ip4 from any to any via ${firewall_nat_interface}
+		fi
+		;;
+	esac
 
 	${fwcmd} add deny all from "table($BAD_ADDR_TBL)" to any via ${oif}
 	if [ -n "$inet6" ]; then