diff --git a/roles/nat_server/tasks/main.yml b/roles/nat_server/tasks/main.yml
index 3d1ecc49ed17d0231ce62c0e9c2702f89b16d75d..ecc647a7b59e5a527bd096b2e936aec18c44f940 100644
--- a/roles/nat_server/tasks/main.yml
+++ b/roles/nat_server/tasks/main.yml
@@ -19,7 +19,17 @@
   become: true
   become_user: root
 
-    
+- name: get name of device for public interface
+  # output looks like
+  # 8.8.8.8 via 118.138.254.254 dev eth2  src 118.138.254.185
+  shell: /usr/sbin/ip route get 8.8.8.8  | awk '{print $5;exit }'
+  register: public_device_name
+
+#if not defined, default to M3=vlan 114  ;
+#See https://webnet.its.monash.edu.au/cgi-bin/staff-only/netsee
+- set_fact: PRIVATE_NETWORK_CIDR="172.16.200.0/21"
+  when: PRIVATE_NETWORK_CIDR is undefined
+
 # template ip tables rules or add rules on startup?
 - name: template rules
   template: dest=/etc/sysconfig/iptables src=iptables.j2
diff --git a/roles/nat_server/templates/iptables.j2 b/roles/nat_server/templates/iptables.j2
index 1decc94e170256b136a56b0dfc609b1fc89bc0fd..07def7ca120b86a9fc573c9f7ac3bcc249889df8 100644
--- a/roles/nat_server/templates/iptables.j2
+++ b/roles/nat_server/templates/iptables.j2
@@ -14,7 +14,7 @@ COMMIT
 :INPUT ACCEPT [0:0]
 :OUTPUT ACCEPT [0:0]
 :POSTROUTING ACCEPT [0:0]
--A POSTROUTING -o eth2 -j MASQUERADE
+-A POSTROUTING -o {{ public_device_name.stdout }}  -j MASQUERADE
 COMMIT
 # Completed on Mon Nov  7 16:34:03 2016
 # Generated by iptables-save v1.4.21 on Mon Nov  7 16:34:03 2016
@@ -28,6 +28,6 @@ COMMIT
 -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
 -A INPUT -j REJECT --reject-with icmp-host-prohibited
 -A FORWARD -i mlx0 -j ACCEPT
--A FORWARD -i eth1 -j ACCEPT
+-A FORWARD -s {{ PRIVATE_NETWORK_CIDR }} -j ACCEPT
 COMMIT
 # Completed on Mon Nov  7 16:34:03 2016