diff --git a/salt-pillar/upstream/upstream1.sls b/salt-pillar/upstream/upstream1.sls
new file mode 100644
index 000000000..99fdb3e
--- /dev/null
+++ b/salt-pillar/upstream/upstream1.sls
@@ -0,0 +1,2 @@
+upstream:
+  dhcp_interface: up1
diff --git a/salt/upstream/dhcp.sls b/salt/upstream/dhcp.sls
new file mode 100644
index 000000000..7ded319
--- /dev/null
+++ b/salt/upstream/dhcp.sls
@@ -0,0 +1,19 @@
+{%- set dhcp_iface = pillar['upstream']['dhcp_interface'] %}
+{{ dhcp_iface }}:
+  network.managed:
+    - enabled: True
+      type: eth
+      proto: dhcp
+
+iptables:
+  pkg.installed: []
+
+/etc/network/if-pre-up.d/masquerade:
+  file.managed:
+    - source: salt://upstream/masquerade
+    - template: 'jinja'
+    - context:
+        upstream_iface: {{ dhcp_iface }}
+    - mode: 744
+    - require:
+        - pkg: iptables
diff --git a/salt/upstream/masquerade b/salt/upstream/masquerade
new file mode 100644
index 000000000..ae43fec
--- /dev/null
+++ b/salt/upstream/masquerade
@@ -0,0 +1,5 @@
+#!/bin/sh
+
+if [ "$IFACE" = "{{ upstream_iface }}" ]; then
+   iptables -t nat -A POSTROUTING -o "$IFACE" -j MASQUERADE
+fi