Actually, I don’t know how your topology has been planned , but a basic idea could be..eth00, eth00.10 and eth00.20 internal lans , eth01 wan (connected, in some manner, to the internet) . In this case , you’d have to put, in Nat enabled interfaces, only the eth01 interface. If you still have issues , try to describe your network topology and what you want achieve.