Source: http://www.vyatta.org/forum/viewtopic.php?t=3397

internet <-----> physical interface <----> /29 address on br0 <----> physical interface
                                                     ^
                                                     |
                                               ----------
                                               |  NAT  |
                                               ----------
                                                     |
                                            office subnet      


basically this lets me nat my office subnet off the /29 address assigned to br0 and then use my other subnet addresses on any machine hanging off of the other interface. It lets put a firewall between the internet and the rest of the /29 addresses as well.

its the same as using a switch except we are doing the bridging in software.

here is a sample vyatta config skeleton that will do this 

interfaces {
    bridge br0 {
        address x.x.x.x/29
        aging 300
        description bridge-for-public-addresses
        disable false
        firewall {
            in {
                name WAN-IN
            }
            local {
                name WAN-LOCAL
            }
        }
    }
    ethernet eth0 {
        address 10.10.10.1/24
    }
    ethernet eth1 {
        bridge-group {
            bridge br0
        }
        description "Physical Outside Interface"
    }
    ethernet eth2 {
        bridge-group {
            bridge br0
        }
        description "Public Subnet Passthrough Interface"
    }
}
service {
    nat {
        rule 99 {
            outbound-interface br0
            protocol all
            type masquerade
        }
    }
}