diff --git a/doc/ChangeLog b/doc/ChangeLog
index 8c935cfbc..4cf672037 100644
--- a/doc/ChangeLog
+++ b/doc/ChangeLog
@@ -1,3 +1,10 @@
+2011-07-19  vadim  <vadim@netcitadel.com>
+
+	* NATCompiler_ipt.cpp (processNext): fixed SF bug 3371301 "Error
+	compiling with VLAN and masquerade". Iptables NAT rules with vlan
+	interface configured as "dynamic" and no ip address in Translated
+	Source caused compiler crash.
+
 2011-07-18  theron	<theron@netcitadel.com>
 	* Fixed #2511: make sure auto-scroll of items in ObjectTreeView
 	works, otherwise it's impossible to move an item into a
diff --git a/src/iptlib/NATCompiler_ipt.cpp b/src/iptlib/NATCompiler_ipt.cpp
index 2c047b5fb..2bfc45d99 100644
--- a/src/iptlib/NATCompiler_ipt.cpp
+++ b/src/iptlib/NATCompiler_ipt.cpp
@@ -877,14 +877,17 @@ bool NATCompiler_ipt::addVirtualAddress::processNext()
         cluster = Cluster::cast(
             compiler->dbcopy->findInIndex(compiler->fw->getInt("parent_cluster_id")));
 
-    Address *a=NULL;
+    Address *a = NULL;
 
     if (rule->getRuleType()==NATRule::SNAT || rule->getRuleType()==NATRule::DNAT) 
     {
         if (rule->getRuleType()==NATRule::SNAT)   
-            a=compiler->getFirstTSrc(rule);
+            a = compiler->getFirstTSrc(rule);
         else
-            a=compiler->getFirstODst(rule);
+            a = compiler->getFirstODst(rule);
+
+        Interface *iface = Interface::cast(a);
+        if (iface && ! iface->isRegular()) return true;
 
         if ( ! a->isAny() &&
              ! compiler->complexMatch(a, compiler->fw) &&
@@ -894,7 +897,8 @@ bool NATCompiler_ipt::addVirtualAddress::processNext()
             {
                 compiler->warning(
                         rule, 
-                        string("Adding of virtual address for address range is not implemented (object ") +
+                        string("Adding of virtual address for address range "
+                               "is not implemented (object ") +
                         a->getName() + ")" );
             } else
                 compiler->osconfigurator->addVirtualAddressForNAT( a );
diff --git a/src/iptlib/OSConfigurator_linux24.cpp b/src/iptlib/OSConfigurator_linux24.cpp
index 53f564023..489132621 100644
--- a/src/iptlib/OSConfigurator_linux24.cpp
+++ b/src/iptlib/OSConfigurator_linux24.cpp
@@ -245,11 +245,13 @@ void OSConfigurator_linux24::addVirtualAddressForNAT(const Network *nw)
 void OSConfigurator_linux24::addVirtualAddressForNAT(const Address *addr)
 {
     FWOptions* options=fw->getOptionsObject();
-    if ( options->getBool("manage_virtual_addr") ) 
+    if ( options->getBool("manage_virtual_addr") )
     {
+        const InetAddr *addr_addr = addr->getAddressPtr();
+
         if (virtual_addresses.empty() || 
-            find(virtual_addresses.begin(),virtual_addresses.end(),
-                 *(addr->getAddressPtr())) == virtual_addresses.end()) 
+            find(virtual_addresses.begin(),
+                 virtual_addresses.end(), *addr_addr) == virtual_addresses.end())
         {
             FWObject *vaddr = findAddressFor(addr, fw );
             if (vaddr!=NULL)
@@ -262,7 +264,7 @@ void OSConfigurator_linux24::addVirtualAddressForNAT(const Address *addr)
                     Address::cast(vaddr)->getNetmaskPtr();
 
                 addresses.push_back(QString("%1/%2").
-                                    arg(addr->getAddressPtr()->toString().c_str()).
+                                    arg(addr_addr->toString().c_str()).
                                     arg(vaddr_netm->getLength()));
 
                 if (virtual_addresses_for_nat.count(iface->getName()) > 0)
@@ -271,11 +273,10 @@ void OSConfigurator_linux24::addVirtualAddressForNAT(const Address *addr)
                 virtual_addresses_for_nat[iface->getName()] =
                     addresses.join(" ").toStdString();
         
-                virtual_addresses.push_back(*(addr->getAddressPtr()));
+                virtual_addresses.push_back(*(addr_addr));
                 registerVirtualAddressForNat();
             } else
-                warning("Can not add virtual address for object " + 
-                        addr->getName() );
+                warning("Can not add virtual address for object " + addr->getName());
         }
         return;
     }
diff --git a/test/ipt/heartbeat_cluster_1_d_linux-2-d.fw.orig b/test/ipt/heartbeat_cluster_1_d_linux-2-d.fw.orig
index fd1a6e6e6..51772d2a3 100755
--- a/test/ipt/heartbeat_cluster_1_d_linux-2-d.fw.orig
+++ b/test/ipt/heartbeat_cluster_1_d_linux-2-d.fw.orig
@@ -2,9 +2,9 @@
 #
 #  This is automatically generated file. DO NOT MODIFY !
 #
-#  Firewall Builder  fwb_ipt v5.0.0.3547
+#  Firewall Builder  fwb_ipt v5.0.0.3564
 #
-#  Generated Fri Jun  3 17:29:48 2011 PDT by vadim
+#  Generated Tue Jul 19 19:05:24 2011 PDT by vadim
 #
 # files: * heartbeat_cluster_1_d_linux-2-d.fw firewall.sh
 #
@@ -19,8 +19,6 @@
 # heartbeat_cluster_1_d:Policy:7: error: Can not build rule using dynamic interface 'eth0' of the object 'linux-1-d' because its address in unknown.
 # heartbeat_cluster_1_d:Policy:7: error: Can not build rule using dynamic interface 'eth0' of the object 'linux-1-d' because its address in unknown.
 
-# linux-2-d::: warning: Can not add virtual address for object eth0
-
 
 FWBDEBUG=""
 
@@ -751,7 +749,7 @@ test -z "$cmd" && {
 
 case "$cmd" in
     start)
-        log "Activating firewall script generated Fri Jun  3 17:29:48 2011 by vadim"
+        log "Activating firewall script generated Tue Jul 19 19:05:24 2011 by vadim"
         check_tools
          prolog_commands 
         check_run_time_address_table_files