diff --git a/nix/nixos-module/container/yggdrasil.nix b/nix/nixos-module/container/yggdrasil.nix
index 28e1134..3c4f6c7 100644
--- a/nix/nixos-module/container/yggdrasil.nix
+++ b/nix/nixos-module/container/yggdrasil.nix
@@ -10,8 +10,15 @@ lib.mkIf config.site.hosts.${hostName}.services.yggdrasil.enable {
     fi
   '';
 
-  boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1;
   # Forward traffic under the prefix.
+  boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1;
+  networking.nat = {
+    enable = true;
+    # Provide NAT66 for everyone with addresses foreign to Yggdrasil
+    extraCommands = ''
+        ip6tables -t nat -A POSTROUTING ! --src 200::/7 -o ygg -j MASQUERADE
+      '';
+  };
 
   services.yggdrasil = {
     enable = true;