NATing each VLAN to a /29 IP?

Question

Our ISP provided us with a public /29 subnet. As an example, let's say they assigned us 172.16.254.0/29. 
 Our gateway address is 172.16.254.1. 
 We directly connected the Sophos UTM on eth1 to their GW. 
 We assigned to eth1 the IP address 172.16.254.2/29. 
 
 We have an active Link Aggregation lag0. 
 We added multiple VLAN Interfaces to lag0: VLAN10, VLAN20, VLAN30. Each with it's own private network. 
 
 Our goal is to assign each VLAN it's unique public ip address: VLAN10=172.16.254.3, VLAN20=172.16.254.4, VLAN30=172.16.254.5. In other words: Facing outward, each computer should communicate with internet services with public IP assigned to the VLAN the computer is connected to. And I should be able to add Portmappings from the public IP to servers within the respective VLANs. 
 Unfortunately, I don't know how I can assign the public IPs to the respective VLANs. 
 I tried adding Additional Addresses and using Masquerading, but that only results in a loss of connection. I assume that the packet is still sent, but that the response does either not reach the UTM, or the UTM does not remember which computer in which VLAN started the request. I hope you can help.

Louis-M · Accepted Answer

You need to add the additional IP's to the WAN or ISP interface (make sure they are turned on too with the green slider) 
 You can then use masquerading or source NAT to do this (outgoing) and then you will need to add DNAT for incoming connections. 
 You don't assign a vlan to an interface for natting but rather that vlan's subnet eg 192.168.1.0/24 >> 172.16.254.3 (either create a masquerade or source nat rule) 
 And then, don't forget to check your firewall rules to allow the traffic or your web filter if you have that proxy going too. 
 Nice little explanation here: 
 https://www.stephenwagner.com/2010/07/03/astaro-security-gateway-snat-dnat-1-to-1-nat-and-full-nat-howto/