diff --git a/src/packages/fff/fff-layer3-snat/Makefile b/src/packages/fff/fff-layer3-snat/Makefile
new file mode 100644
index 00000000..0e82310a
--- /dev/null
+++ b/src/packages/fff/fff-layer3-snat/Makefile
@@ -0,0 +1,31 @@
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=fff-layer3-snat
+PKG_RELEASE:=1
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/fff-layer3-snat
+	SECTION:=base
+	CATEGORY:=Freifunk
+	TITLE:=Freifunk-Franken layer3 configuration with SNAT
+	URL:=https://www.freifunk-franken.de
+	DEPENDS:= \
+		+fff-firewall \
+		+fff-layer3-config \
+		+kmod-ipt-nat
+endef
+
+define Package/fff-layer3-snat/description
+	With this package it is possible to make SNAT with IPv4 on the router
+endef
+
+define Build/Compile
+	# nothing
+endef
+
+define Package/fff-layer3-snat/install
+	$(CP) ./files/* $(1)/
+endef
+
+$(eval $(call BuildPackage,fff-layer3-snat))
diff --git a/src/packages/fff/fff-layer3-snat/files/etc/layer3.d/33-snat.conf b/src/packages/fff/fff-layer3-snat/files/etc/layer3.d/33-snat.conf
new file mode 100644
index 00000000..b7454847
--- /dev/null
+++ b/src/packages/fff/fff-layer3-snat/files/etc/layer3.d/33-snat.conf
@@ -0,0 +1,34 @@
+configure() {
+	# first we delete the snat config
+	uci -q del network.client.fff_snat
+	uci -q del network.client.fff_snat_sourceip
+	if [ "$(uci -q get gateway.@client[0].snat)" = '1' ]; then
+
+		# first check the config is plausible
+		if ! routerip=$(uci -q get gateway.meta.router_ip); then
+			echo "ERROR: No router_ip set, which is required for SNAT!"
+			return 1
+		fi
+		if ! uci -q get gateway.@client[0].ipaddr >/dev/null; then
+			echo "ERROR: No ipaddr set, which is required for SNAT!"
+			return 1
+		fi
+
+		# keep only the first IP
+		routerip=${routerip%% *}
+		# keep only the IP without the CIDR
+		routerip=${routerip%%/*}
+
+		# We set the snat config
+		uci set network.client.fff_snat=1
+		uci set network.client.fff_snat_sourceip=$routerip
+	fi
+}
+
+apply() {
+	uci commit network
+}
+
+revert() {
+	uci revert network
+}
diff --git a/src/packages/fff/fff-layer3-snat/files/usr/lib/firewall.d/30-snat b/src/packages/fff/fff-layer3-snat/files/usr/lib/firewall.d/30-snat
new file mode 100644
index 00000000..b4ec9799
--- /dev/null
+++ b/src/packages/fff/fff-layer3-snat/files/usr/lib/firewall.d/30-snat
@@ -0,0 +1,4 @@
+if [ "$(uci -q get network.client.fff_snat)" = '1' ]; then
+	iptables -t mangle -A PREROUTING -i br-client -j MARK --set-mark 0x736e6174
+	iptables -t nat -A POSTROUTING -m mark --mark 0x736e6174 -j SNAT --to-source $(uci -q get network.client.fff_snat_sourceip)
+fi
diff --git a/src/packages/fff/fff-layer3/Makefile b/src/packages/fff/fff-layer3/Makefile
index 8318e25d..2d7de3cc 100644
--- a/src/packages/fff/fff-layer3/Makefile
+++ b/src/packages/fff/fff-layer3/Makefile
@@ -15,6 +15,7 @@ define Package/fff-layer3
 	         +fff-boardname \
 	         +fff-dhcp \
 	         +fff-layer3-config \
+	         +fff-layer3-snat \
 	         +fff-mqtt-monitoring \
 	         +fff-network \
 	         +fff-ra \