diff --git a/cmd/api/v5/route.go b/cmd/api/v5/route.go
index bff39b5..813cb82 100644
--- a/cmd/api/v5/route.go
+++ b/cmd/api/v5/route.go
@@ -24,7 +24,6 @@ func (r Route) Add(c *cli.Context) error {
 		NextHop: c.String("nexthop"),
 		FindHop: c.String("findhop"),
 		Metric:  c.Int("metric"),
-		Mode:    c.String("mode"),
 	}
 	url := r.Url(c.String("url"), network)
 	clt := r.NewHttp(c.String("token"))
diff --git a/dist/rootfs/etc/openlan/switch/network/default.json.example b/dist/rootfs/etc/openlan/switch/network/default.json.example
index 60ed987..a0bde78 100755
--- a/dist/rootfs/etc/openlan/switch/network/default.json.example
+++ b/dist/rootfs/etc/openlan/switch/network/default.json.example
@@ -4,11 +4,6 @@
   "bridge": {
     "address": "172.32.99.40/24"
   },
-  "routes": [
-    {
-      "prefix": "172.32.10.0/24"
-    }
-  ],
   "openvpn": {
     "listen": "0.0.0.0:3294",
     "subnet": "172.32.194.0/24"
diff --git a/dist/rootfs/etc/openlan/switch/network/network.json.example b/dist/rootfs/etc/openlan/switch/network/network.json.example
index e802298..f78d48f 100755
--- a/dist/rootfs/etc/openlan/switch/network/network.json.example
+++ b/dist/rootfs/etc/openlan/switch/network/network.json.example
@@ -5,19 +5,6 @@
     "address": "172.32.100.40/24",
     "tcpMss": 1360
   },
-  "routes": [
-    {
-      "prefix": "172.32.10.0/24"
-    }
-  ],
-  "links": [
-    {
-      "protocol": "tls",
-      "connection": "hi.openlan.net",
-      "username": "hi",
-      "password": "1f4ee82b5eb6"
-    }
-  ],
   "openvpn": {
     "protocol": "tcp",
     "listen": "0.0.0.0:3295",
@@ -35,5 +22,6 @@
   },
   "acl": "acl-100",
   "dhcp": "enable",
+  "snat": "disable",
   "namespace": "example"
 }
diff --git a/pkg/api/api.go b/pkg/api/api.go
index d60265f..0064eb3 100755
--- a/pkg/api/api.go
+++ b/pkg/api/api.go
@@ -114,6 +114,8 @@ type Networker interface {
 	FindHoper() FindHoper
 	DoZTrust()
 	UndoZTrust()
+	DoSnat()
+	UndoSnat()
 }
 
 type IPSecer interface {
diff --git a/pkg/config/network.go b/pkg/config/network.go
index 1e9f897..cdb104f 100755
--- a/pkg/config/network.go
+++ b/pkg/config/network.go
@@ -25,6 +25,7 @@ type Network struct {
 	Outputs   []*Output           `json:"outputs,omitempty"`
 	ZTrust    string              `json:"ztrust,omitempty"`
 	Qos       string              `json:"qos,omitempty"`
+	Snat      string              `json:"snat,omitempty"`
 	Namespace string              `json:"namespace,omitempty"`
 	FindHop   map[string]*FindHop `json:"findhop,omitempty"`
 }
diff --git a/pkg/schema/network.go b/pkg/schema/network.go
index f48aacc..2b5ecc5 100755
--- a/pkg/schema/network.go
+++ b/pkg/schema/network.go
@@ -13,7 +13,6 @@ type PrefixRoute struct {
 	NextHop   string      `json:"nexthop"`
 	FindHop   string      `json:"findhop"`
 	Metric    int         `json:"metric"`
-	Mode      string      `json:"mode"`
 	MultiPath []MultiPath `json:"multipath,omitempty"`
 }
 
diff --git a/pkg/switch/network.go b/pkg/switch/network.go
index 8890dab..e64d7fa 100755
--- a/pkg/switch/network.go
+++ b/pkg/switch/network.go
@@ -56,6 +56,7 @@ type WorkerImpl struct {
 	br      cn.Bridger
 	acl     *ACL
 	findhop *FindHop
+	snat    *cn.FireWallChain
 }
 
 func NewWorkerApi(c *co.Network) *WorkerImpl {
@@ -115,6 +116,7 @@ func (w *WorkerImpl) Initialize() {
 	w.createVPN()
 
 	w.fire = cn.NewFireWallTable(cfg.Name)
+	w.snat = cn.NewFireWallChain("XTT_"+cfg.Name+"_SNAT", cn.TNat, "")
 
 	if out, err := w.setV.Clear(); err != nil {
 		w.out.Error("WorkerImpl.Initialize: create ipset: %s %s", out, err)
@@ -394,6 +396,36 @@ func (w *WorkerImpl) SetMss(mss int) {
 	}
 }
 
+func (w *WorkerImpl) doSnat() {
+	w.fire.Nat.Post.AddRuleX(cn.IPRule{
+		Jump:    w.snat.Chain().Name,
+		Comment: "Goto SNAT",
+	})
+}
+
+func (w *WorkerImpl) undoSnat() {
+	w.fire.Nat.Post.DelRuleX(cn.IPRule{
+		Jump:    w.snat.Chain().Name,
+		Comment: "Goto SNAT",
+	})
+}
+
+func (w *WorkerImpl) DoSnat() {
+	cfg, _ := w.GetCfgs()
+	if cfg.Snat != "disable" {
+		cfg.Snat = "enable"
+		w.doSnat()
+	}
+}
+
+func (w *WorkerImpl) UndoSnat() {
+	cfg, _ := w.GetCfgs()
+	if cfg.Snat == "disable" {
+		cfg.Snat = "disable"
+		w.undoSnat()
+	}
+}
+
 func (w *WorkerImpl) doTrust() {
 	_, vpn := w.GetCfgs()
 	w.fire.Mangle.Pre.AddRuleX(cn.IPRule{
@@ -403,6 +435,15 @@ func (w *WorkerImpl) doTrust() {
 	})
 }
 
+func (w *WorkerImpl) undoTrust() {
+	_, vpn := w.GetCfgs()
+	w.fire.Mangle.Pre.DelRuleX(cn.IPRule{
+		Input:   vpn.Device,
+		Jump:    w.ztrust.Chain(),
+		Comment: "Goto Zero Trust",
+	})
+}
+
 func (w *WorkerImpl) DoZTrust() {
 	cfg, _ := w.GetCfgs()
 	if cfg.ZTrust != "enable" {
@@ -411,15 +452,6 @@ func (w *WorkerImpl) DoZTrust() {
 	}
 }
 
-func (w *WorkerImpl) undoTrust() {
-	_, vpn := w.GetCfgs()
-	w.fire.Mangle.Pre.DelRuleX(cn.IPRule{
-		Input:   vpn.Device,
-		Jump:    w.ztrust.Chain(),
-		Comment: "Goto Zero Trust",
-	})
-}
-
 func (w *WorkerImpl) UndoZTrust() {
 	cfg, _ := w.GetCfgs()
 	if cfg.ZTrust == "enable" {
@@ -491,6 +523,10 @@ func (w *WorkerImpl) Start(v api.Switcher) {
 	}
 
 	w.fire.Start()
+	w.snat.Install()
+	if cfg.Snat != "disable" {
+		w.doSnat()
+	}
 	if cfg.Bridge.Mss > 0 {
 		// forward to remote
 		w.setMss()
@@ -575,6 +611,12 @@ func (w *WorkerImpl) RestartVPN() {
 func (w *WorkerImpl) Stop() {
 	w.out.Info("WorkerImpl.Stop")
 
+	cfg, _ := w.GetCfgs()
+	if cfg.Snat != "disable" {
+		w.undoSnat()
+	}
+
+	w.snat.Cancel()
 	w.fire.Stop()
 	w.findhop.Stop()
 	w.acl.Stop()
@@ -593,8 +635,8 @@ func (w *WorkerImpl) Stop() {
 		w.vrf.Down()
 	}
 
-	for _, output := range w.cfg.Outputs {
-		w.delOutput(w.cfg.Bridge.Name, output)
+	for _, output := range cfg.Outputs {
+		w.delOutput(cfg.Bridge.Name, output)
 	}
 
 	w.setR.Destroy()
@@ -691,7 +733,7 @@ func (w *WorkerImpl) toForward_s(input, srcSet, prefix, comment string) {
 func (w *WorkerImpl) toMasq_r(source, pfxSet, comment string) {
 	// Enable masquerade from source to prefix.
 	output := ""
-	w.fire.Nat.Post.AddRule(cn.IPRule{
+	w.snat.AddRule(cn.IPRule{
 		Mark:    uint32(w.table),
 		Source:  source,
 		DestSet: pfxSet,
@@ -705,7 +747,7 @@ func (w *WorkerImpl) toMasq_r(source, pfxSet, comment string) {
 func (w *WorkerImpl) toMasq_s(srcSet, prefix, comment string) {
 	output := ""
 	// Enable masquerade from source to prefix.
-	w.fire.Nat.Post.AddRule(cn.IPRule{
+	w.snat.AddRule(cn.IPRule{
 		Mark:    uint32(w.table),
 		SrcSet:  srcSet,
 		Dest:    prefix,
@@ -837,6 +879,7 @@ func (w *WorkerImpl) forwardVPN() {
 	for _, rt := range vpn.Routes {
 		w.addVPNSet(rt)
 	}
+
 	if w.vrf != nil {
 		w.toForward_r(w.vrf.Name(), vpn.Subnet, w.setV.Name, "From VPN")
 	} else {
@@ -904,7 +947,6 @@ func (w *WorkerImpl) forwardSubnet() {
 	if vpn != nil {
 		w.toMasq_s(w.setR.Name, vpn.Subnet, "To VPN")
 	}
-
 	w.toMasq_r(subnet.String(), w.setR.Name, "To Masq")
 }
 
@@ -970,7 +1012,6 @@ func (w *WorkerImpl) correctRoute(route *schema.PrefixRoute) co.PrefixRoute {
 		Prefix:  route.Prefix,
 		NextHop: route.NextHop,
 		FindHop: route.FindHop,
-		Mode:    route.Mode,
 		Metric:  route.Metric,
 	}
 	rt.CorrectRoute(w.IfAddr())
@@ -983,7 +1024,6 @@ func (w *WorkerImpl) ListRoute(call func(obj schema.PrefixRoute)) {
 			Prefix:  obj.Prefix,
 			NextHop: obj.NextHop,
 			FindHop: obj.FindHop,
-			Mode:    obj.Mode,
 			Metric:  obj.Metric,
 		}
 		call(data)