configpolicy/roles/dch-gw/templates/masquerade.nft.j2

table ip nat {
    set vpn_subnets {
        type ipv4_addr
        flags interval
        elements = {
            172.31.0.64/28,
{% for prefix in firemon_networks %}
            {{ prefix }},
{% endfor %}
        }
    }

    chain postrouting {
        ip daddr @vpn_subnets counter accept
        oif {{ ansible_default_ipv4.interface }} masquerade
    }
}