diff --git a/deploy/terraform/main.tf b/deploy/terraform/main.tf
index 47b896a..9171e7c 100644
--- a/deploy/terraform/main.tf
+++ b/deploy/terraform/main.tf
@@ -66,6 +66,14 @@ resource "null_resource" "tink_directory" {
     destination = "/root/tink"
   }
 
+  provisioner "remote-exec" {
+    inline = [
+      "iptables -A FORWARD -i eth1 -o bond0 -j ACCEPT",
+      "iptables -A FORWARD -i bond0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT",
+      "iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE",
+    ]
+  }
+
   provisioner "remote-exec" {
     inline = [
       "chmod +x /root/tink/*.sh /root/tink/deploy/tls/*.sh"
diff --git a/deploy/vagrant/scripts/tinkerbell.sh b/deploy/vagrant/scripts/tinkerbell.sh
index 803ca26..316377e 100644
--- a/deploy/vagrant/scripts/tinkerbell.sh
+++ b/deploy/vagrant/scripts/tinkerbell.sh
@@ -63,6 +63,12 @@ configure_vagrant_user() (
 			--password-stdin "$TINKERBELL_HOST_IP"
 )
 
+setup_nat() (
+	iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
+	iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
+	iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
+)
+
 main() (
 	export DEBIAN_FRONTEND=noninteractive
 
@@ -91,6 +97,8 @@ main() (
 
 	./setup.sh
 
+    setup_nat
+
 	secure_certs
 
 	configure_vagrant_user
diff --git a/setup.sh b/setup.sh
index 0b637f3..16cbb12 100755
--- a/setup.sh
+++ b/setup.sh
@@ -487,12 +487,6 @@ whats_next() (
 	echo "$BLANK    Follow the steps described in https://tinkerbell.org/examples/hello-world/ to say 'Hello World!' with a workflow."
 )
 
-setup_nat() (
-	iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
-	iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
-	iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
-)
-
 do_setup() (
 	# perform some very rudimentary platform detection
 	lsb_dist=$(get_distribution)
@@ -510,7 +504,6 @@ do_setup() (
 	source "$ENV_FILE"
 
 	setup_networking "$lsb_dist" "$lsb_version"
-	setup_nat
 	setup_osie
 	generate_certificates
 	setup_docker_registry