diff --git a/environments/services/masquerade-networks.yaml b/environments/services/masquerade-networks.yaml
new file mode 100644
index 0000000000..3705ab19ae
--- /dev/null
+++ b/environments/services/masquerade-networks.yaml
@@ -0,0 +1,7 @@
+# A Heat environment file that can be used to configure masquerade networks
+
+resource_registry:
+  OS::TripleO::Services::MasqueradeNetworks: ../../puppet/services/masquerade-networks.yaml
+
+parameter_defaults:
+  MasqueradeNetworks: {'192.168.24.0/24': ['192.168.24.0/24']}
diff --git a/overcloud-resource-registry-puppet.j2.yaml b/overcloud-resource-registry-puppet.j2.yaml
index d96ff05983..d9db5b1d7c 100644
--- a/overcloud-resource-registry-puppet.j2.yaml
+++ b/overcloud-resource-registry-puppet.j2.yaml
@@ -240,6 +240,7 @@ resource_registry:
   OS::TripleO::Services::Fluentd: OS::Heat::None
   OS::TripleO::Services::Ipsec: OS::Heat::None
   OS::TripleO::Services::Rhsm: OS::Heat::None
+  OS::TripleO::Services::MasqueradeNetworks: OS::Heat::None
   OS::TripleO::Services::Collectd: OS::Heat::None
   OS::TripleO::LoggingConfiguration: puppet/services/logging/fluentd-config.yaml
   OS::TripleO::Services::ManilaApi: OS::Heat::None
diff --git a/puppet/services/masquerade-networks.yaml b/puppet/services/masquerade-networks.yaml
new file mode 100644
index 0000000000..f152374db3
--- /dev/null
+++ b/puppet/services/masquerade-networks.yaml
@@ -0,0 +1,68 @@
+heat_template_version: queens
+
+description: >
+  Configure TripleO Masquerade networks with Puppet.
+
+parameters:
+  ServiceData:
+    default: {}
+    description: Dictionary packing service data
+    type: json
+  ServiceNetMap:
+    default: {}
+    description: Mapping of service_name -> network name. Typically set
+                 via parameter_defaults in the resource registry.  This
+                 mapping overrides those in ServiceNetMapDefaults.
+    type: json
+  DefaultPasswords:
+    default: {}
+    type: json
+  RoleName:
+    default: ''
+    description: Role name on which the service is applied
+    type: string
+  RoleParameters:
+    default: {}
+    description: Parameters specific to the role
+    type: json
+  EndpointMap:
+    default: {}
+    description: Mapping of service endpoint -> protocol. Typically set
+                 via parameter_defaults in the resource registry.
+    type: json
+  MasqueradeNetworks:
+    default: {'192.168.24.0/24': ['192.168.24.0/24', '192.168.25.0/24']}
+    description: Hash of masquerade networks to manage.
+    type: json
+
+outputs:
+  role_data:
+    description: Role data for the TripleO Masquerade Networks service.
+    value:
+      service_name: masquerade_networks
+      config_settings:
+        tripleo.masquerade_networks.firewall_rules:
+          repeat:
+             for_each:
+                NETWORK: {get_param: MasqueradeNetworks}
+                INDEX:
+                  yaql:
+                    expression: range(len($.data)).select(str($))
+                    data: {get_param: MasqueradeNetworks}
+                DESTINATIONS:
+                  yaql:
+                    expression: $.data.values().select(' - ' + $.join('\n - '))
+                    data: {get_param: MasqueradeNetworks}
+             template: >
+               '137 routed_network return_INDEX':
+                 table: 'nat'
+                 source: 'NETWORK'
+                 destination:
+                   DESTINATIONS
+                 jump: 'RETURN'
+               '138 routed_network masquerade_INDEX':
+                 table: 'nat'
+                 source: 'NETWORK'
+                 jump: 'MASQUERADE'
+      step_config: ''
+      upgrade_tasks: []
diff --git a/roles/Undercloud.yaml b/roles/Undercloud.yaml
index ed3c8920a2..58418d9219 100644
--- a/roles/Undercloud.yaml
+++ b/roles/Undercloud.yaml
@@ -50,6 +50,7 @@
     - OS::TripleO::Services::ContainersLogrotateCrond
     - OS::TripleO::Services::RabbitMQ
     - OS::TripleO::Services::Rhsm
+    - OS::TripleO::Services::MasqueradeNetworks
     - OS::TripleO::Services::SwiftProxy
     - OS::TripleO::Services::SwiftRingBuilder
     - OS::TripleO::Services::SwiftStorage
diff --git a/roles/UndercloudLight.yaml b/roles/UndercloudLight.yaml
index 1a91f87c2e..0e5b8207d3 100644
--- a/roles/UndercloudLight.yaml
+++ b/roles/UndercloudLight.yaml
@@ -31,6 +31,7 @@
     - OS::TripleO::Services::NeutronDhcpAgent
     - OS::TripleO::Services::RabbitMQ
     - OS::TripleO::Services::Rhsm
+    - OS::TripleO::Services::MasqueradeNetworks
     - OS::TripleO::Services::SwiftProxy
     - OS::TripleO::Services::SwiftRingBuilder
     - OS::TripleO::Services::SwiftStorage
diff --git a/roles_data_undercloud.yaml b/roles_data_undercloud.yaml
index f060261936..6161114ff7 100644
--- a/roles_data_undercloud.yaml
+++ b/roles_data_undercloud.yaml
@@ -53,6 +53,7 @@
     - OS::TripleO::Services::ContainersLogrotateCrond
     - OS::TripleO::Services::RabbitMQ
     - OS::TripleO::Services::Rhsm
+    - OS::TripleO::Services::MasqueradeNetworks
     - OS::TripleO::Services::SwiftProxy
     - OS::TripleO::Services::SwiftRingBuilder
     - OS::TripleO::Services::SwiftStorage