Enabled traffic toward ExternalCIDR

This PR enables peered clusters to exchange traffic toward ExternalCIDR, as they already do with PodCIDR. To solve this problem, routing drives supported by Liqo have been modified in such a way that now routing tables hold not only PodCIDR destinations but also ExternalCIDR destinations.
liqotech · Jun 28, 2021 · ea80a05 · ea80a05
1 parent 38070ae
commit ea80a05
Show file tree

Hide file tree

Showing 15 changed files with 464 additions and 120 deletions.
diff --git a/internal/liqonet/route-operator/routeOperator.go b/internal/liqonet/route-operator/routeOperator.go
@@ -95,6 +95,7 @@ func (rc *RouteController) Reconcile(ctx context.Context, req ctrl.Request) (ctr
 	}
 	clusterID := tep.Spec.ClusterID
 	_, remotePodCIDR := utils.GetPodCIDRS(tep)
+	_, remoteExternalCIDR := utils.GetExternalCIDRS(tep)
 	// Examine DeletionTimestamp to determine if object is under deletion.
 	if tep.ObjectMeta.DeletionTimestamp.IsZero() {
 		if !controllerutil.ContainsFinalizer(tep, routeOperatorFinalizer) {
@@ -118,13 +119,16 @@ func (rc *RouteController) Reconcile(ctx context.Context, req ctrl.Request) (ctr
 			klog.Infof("resource {%s} of type {%s} is being removed", tep.Name, tep.GroupVersionKind().String())
 			deleted, err := rc.RemoveRoutesPerCluster(tep)
 			if err != nil {
-				klog.Errorf("%s -> unable to remove route for destination {%s}: %s", clusterID, remotePodCIDR, err)
+				klog.Errorf("%s -> unable to remove route for destinations {%s} and {%s}: %s",
+					clusterID, remotePodCIDR, remoteExternalCIDR, err)
 				rc.Eventf(tep, "Warning", "Processing", "unable to remove route: %s", err.Error())
 				return result, err
 			}
 			if deleted {
-				klog.Infof("%s -> route for destination {%s} correctly removed", clusterID, remotePodCIDR)
-				rc.Eventf(tep, "Normal", "Processing", "route for destination {%s} correctly removed", remotePodCIDR)
+				klog.Infof("%s -> route for destinations {%s} and {%s} correctly removed",
+					clusterID, remotePodCIDR, remoteExternalCIDR)
+				rc.Eventf(tep, "Normal", "Processing", "route for destination {%s} and {%s} correctly removed",
+					remotePodCIDR, remoteExternalCIDR)
 			}
 			// remove the finalizer from the list and update it.
 			controllerutil.RemoveFinalizer(tep, routeOperatorFinalizer)
@@ -141,13 +145,15 @@ func (rc *RouteController) Reconcile(ctx context.Context, req ctrl.Request) (ctr
 	}
 	added, err := rc.EnsureRoutesPerCluster(tep)
 	if err != nil {
-		klog.Errorf("%s -> unable to configure route for destination {%s}: %s", clusterID, remotePodCIDR, err)
-		rc.Eventf(tep, "Warning", "Processing", "unable to configure route for destination {%s}: %s", remotePodCIDR, err.Error())
+		klog.Errorf("%s -> unable to configure route for destinations {%s} and {%s}: %s",
+			clusterID, remotePodCIDR, remoteExternalCIDR, err)
+		rc.Eventf(tep, "Warning", "Processing", "unable to configure route for destinations {%s} and {%s}: %s",
+			remotePodCIDR, remoteExternalCIDR, err.Error())
 		return result, err
 	}
 	if added {
-		klog.Infof("%s -> route for destination {%s} correctly configured", clusterID, remotePodCIDR)
-		rc.Eventf(tep, "Normal", "Processing", "route for destination {%s} configured", remotePodCIDR)
+		klog.Infof("%s -> route for destinations {%s} and {%s} correctly configured", clusterID, remotePodCIDR, remoteExternalCIDR)
+		rc.Eventf(tep, "Normal", "Processing", "route for destinations {%s} and {%s} configured", remotePodCIDR, remoteExternalCIDR)
 	}
 	return result, nil
 }

diff --git a/internal/liqonet/tunnel-operator/tunnel-operator.go b/internal/liqonet/tunnel-operator/tunnel-operator.go
@@ -50,6 +50,10 @@ var (
 	result = ctrl.Result{}
 )
 
+// Constant used for add/deletion of policy routing rules
+// to specify any network.
+const anyNetwork = ""
+
 // TunnelController type of the tunnel controller.
 type TunnelController struct {
 	client.Client
@@ -144,7 +148,7 @@ func NewTunnelController(podIP, namespace string, er record.EventRecorder,
 func (tc *TunnelController) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
 	var tep = new(netv1alpha1.TunnelEndpoint)
 	var err error
-	var clusterID, remotePodCIDR string
+	var clusterID, remotePodCIDR, remoteExternalCIDR string
 	var con *netv1alpha1.Connection
 
 	var configGWNetns = func(netNamespace ns.NetNS) error {
@@ -189,25 +193,41 @@ func (tc *TunnelController) Reconcile(ctx context.Context, req ctrl.Request) (ct
 		return nil
 	}
 	var configHNetns = func(netNamespace ns.NetNS) error {
-		added, err := liqorouting.AddPolicyRoutingRule(remotePodCIDR, "", liqoconst.RoutingTableID)
+		added, err := liqorouting.AddPolicyRoutingRule(remotePodCIDR, anyNetwork, liqoconst.RoutingTableID)
 		if err != nil {
 			klog.Errorf("%s -> unable to configure policy routing rule for subnet {%s}: %s", clusterID, remotePodCIDR, err)
 			return err
 		}
 		if added {
 			klog.Infof("%s -> policy routing rule for subnet {%s} correctly configured", clusterID, remotePodCIDR)
 		}
+		added, err = liqorouting.AddPolicyRoutingRule(remoteExternalCIDR, anyNetwork, liqoconst.RoutingTableID)
+		if err != nil {
+			klog.Errorf("%s -> unable to configure policy routing rule for subnet {%s}: %s", clusterID, remoteExternalCIDR, err)
+			return err
+		}
+		if added {
+			klog.Infof("%s -> policy routing rule for subnet {%s} correctly configured", clusterID, remoteExternalCIDR)
+		}
 		return nil
 	}
 	var unconfigHNetns = func(netNamespace ns.NetNS) error {
-		deleted, err := liqorouting.DelPolicyRoutingRule(remotePodCIDR, "", liqoconst.RoutingTableID)
+		deleted, err := liqorouting.DelPolicyRoutingRule(remotePodCIDR, anyNetwork, liqoconst.RoutingTableID)
 		if err != nil {
 			klog.Errorf("%s -> unable to remove policy routing rule for subnet {%s}: %s", clusterID, remotePodCIDR, err)
 			return err
 		}
 		if deleted {
 			klog.Infof("%s -> policy routing rule for subnet {%s} correctly removed", clusterID, remotePodCIDR)
 		}
+		deleted, err = liqorouting.DelPolicyRoutingRule(remoteExternalCIDR, anyNetwork, liqoconst.RoutingTableID)
+		if err != nil {
+			klog.Errorf("%s -> unable to remove policy routing rule for subnet {%s}: %s", clusterID, remoteExternalCIDR, err)
+			return err
+		}
+		if deleted {
+			klog.Infof("%s -> policy routing rule for subnet {%s} correctly removed", clusterID, remoteExternalCIDR)
+		}
 		return nil
 	}
 	// Name of our finalizer.
@@ -228,6 +248,7 @@ func (tc *TunnelController) Reconcile(ctx context.Context, req ctrl.Request) (ct
 		return result, nil
 	}
 	_, remotePodCIDR = utils.GetPodCIDRS(tep)
+	_, remoteExternalCIDR = utils.GetExternalCIDRS(tep)
 	// Examine DeletionTimestamp to determine if object is under deletion.
 	if tep.ObjectMeta.DeletionTimestamp.IsZero() {
 		if !controllerutil.ContainsFinalizer(tep, tunnelEndpointFinalizer) {

diff --git a/pkg/consts/liqonet.go b/pkg/consts/liqonet.go
@@ -58,6 +58,8 @@ const (
 	OverlayNetworkMask = "/8"
 	// PodCIDR is a field of the TunnelEndpoint resource.
 	PodCIDR = "PodCIDR"
+	// ExternalCIDR is a field of the TunnelEndpoint resource.
+	ExternalCIDR = "ExternalCIDR"
 	// LocalPodCIDR is a field of the TunnelEndpoint resource.
 	LocalPodCIDR = "LocalPodCIDR"
 	// LocalExternalCIDR is a field of the TunnelEndpoint resource.
@@ -68,4 +70,6 @@ const (
 	LocalNATExternalCIDR = "LocalNATExternalCIDR"
 	// RemoteNATPodCIDR is a field of the TunnelEndpoint resource.
 	RemoteNATPodCIDR = "RemoteNATPodCIDR"
+	// RemoteNATExternalCIDR is a field of the TunnelEndpoint resource.
+	RemoteNATExternalCIDR = "RemoteNATExternalCIDR"
 )
diff --git a/pkg/liqonet/iptables/iptables.go b/pkg/liqonet/iptables/iptables.go
@@ -669,6 +669,7 @@ func getPostroutingRules(tep *netv1alpha1.TunnelEndpoint) ([]IPTableRule, error)
 	clusterID := tep.Spec.ClusterID
 	localPodCIDR := tep.Status.LocalPodCIDR
 	localRemappedPodCIDR, remotePodCIDR := utils.GetPodCIDRS(tep)
+	_, remoteExternalCIDR := utils.GetExternalCIDRS(tep)
 	if localRemappedPodCIDR != consts.DefaultCIDRValue {
 		// Get the first IP address from the podCIDR of the local cluster
 		// in this case it is the podCIDR to which the local podCIDR has bee remapped by the remote peering cluster
@@ -681,6 +682,7 @@ func getPostroutingRules(tep *netv1alpha1.TunnelEndpoint) ([]IPTableRule, error)
 		return []IPTableRule{
 			{"-s", localPodCIDR, "-d", remotePodCIDR, "-j", NETMAP, "--to", localRemappedPodCIDR},
 			{"!", "-s", localPodCIDR, "-d", remotePodCIDR, "-j", SNAT, "--to-source", natIP},
+			{"!", "-s", localPodCIDR, "-d", remoteExternalCIDR, "-j", SNAT, "--to-source", natIP},
 		}, nil
 	}
 	// Get the first IP address from the podCIDR of the local cluster
@@ -692,6 +694,7 @@ func getPostroutingRules(tep *netv1alpha1.TunnelEndpoint) ([]IPTableRule, error)
 	}
 	return []IPTableRule{
 		{"!", "-s", localPodCIDR, "-d", remotePodCIDR, "-j", SNAT, "--to-source", natIP},
+		{"!", "-s", localPodCIDR, "-d", remoteExternalCIDR, "-j", SNAT, "--to-source", natIP},
 	}, nil
 }
 
@@ -704,7 +707,7 @@ func getChainRulesPerCluster(tep *netv1alpha1.TunnelEndpoint) (map[string][]IPTa
 	}
 	clusterID := tep.Spec.ClusterID
 	localRemappedPodCIDR, remotePodCIDR := utils.GetPodCIDRS(tep)
-	localRemappedExternalCIDR := utils.GetExternalCIDR(tep)
+	localRemappedExternalCIDR, _ := utils.GetExternalCIDRS(tep)
 
 	// Init chain rules
 	chainRules := make(map[string][]IPTableRule)

diff --git a/pkg/liqonet/iptables/iptables_test.go b/pkg/liqonet/iptables/iptables_test.go
@@ -640,6 +640,25 @@ var _ = Describe("iptables", func() {
 				tep = validTep.DeepCopy() // Otherwise RemoveIPTablesConfigurationPerCluster would fail in AfterEach
 			})
 		})
+		Context(fmt.Sprintf("If tep has Status.RemoteNATExternalCIDR = %s and an invalid Spec.ExternalCIDR",
+			consts.DefaultCIDRValue), func() {
+			It("should return a WrongParameter error", func() {
+				tep.Status.RemoteNATExternalCIDR = consts.DefaultCIDRValue
+				tep.Spec.ExternalCIDR = invalidValue
+				err := h.EnsurePostroutingRules(tep)
+				Expect(err).To(MatchError(fmt.Sprintf("invalid TunnelEndpoint resource: %s must be %s", consts.ExternalCIDR, errors.ValidCIDR)))
+				tep = validTep.DeepCopy() // Otherwise RemoveIPTablesConfigurationPerCluster would fail in AfterEach
+			})
+		})
+		Context(fmt.Sprintf("If tep has an invalid Status.RemoteNATExternalCIDR != %s",
+			consts.DefaultCIDRValue), func() {
+			It("should return a WrongParameter error", func() {
+				tep.Status.RemoteNATExternalCIDR = invalidValue
+				err := h.EnsurePostroutingRules(tep)
+				Expect(err).To(MatchError(fmt.Sprintf("invalid TunnelEndpoint resource: %s must be %s", consts.RemoteNATExternalCIDR, errors.ValidCIDR)))
+				tep = validTep.DeepCopy() // Otherwise RemoveIPTablesConfigurationPerCluster would fail in AfterEach
+			})
+		})
 		Context(fmt.Sprintf("If tep has an invalid Status.RemoteNATPodCIDR != %s",
 			consts.DefaultCIDRValue), func() {
 			It("should return a WrongParameter error", func() {
@@ -673,7 +692,10 @@ var _ = Describe("iptables", func() {
 				Expect(newPostRoutingRules).ToNot(ContainElements(postRoutingRules))
 				Expect(newPostRoutingRules).To(ContainElements([]string{
 					fmt.Sprintf("-s %s -d %s -j %s --to %s", tep.Status.LocalPodCIDR, tep.Status.RemoteNATPodCIDR, NETMAP, tep.Status.LocalNATPodCIDR),
-					fmt.Sprintf("! -s %s -d %s -j %s --to-source %s", tep.Status.LocalPodCIDR, tep.Status.RemoteNATPodCIDR, SNAT, mustGetFirstIP(tep.Status.LocalNATPodCIDR)),
+					fmt.Sprintf("! -s %s -d %s -j %s --to-source %s", tep.Status.LocalPodCIDR, tep.Status.RemoteNATPodCIDR,
+						SNAT, mustGetFirstIP(tep.Status.LocalNATPodCIDR)),
+					fmt.Sprintf("! -s %s -d %s -j %s --to-source %s", tep.Status.LocalPodCIDR, tep.Status.RemoteNATExternalCIDR,
+						SNAT, mustGetFirstIP(tep.Status.LocalNATPodCIDR)),
 				}))
 			})
 		})
@@ -688,39 +710,114 @@ var _ = Describe("iptables", func() {
 				Expect(postRoutingRules).To(ContainElements(expectedRules))
 			},
 			Entry(
-				fmt.Sprintf("RemoteNATPodCIDR != %s, LocalNATPodCIDR != %s", consts.DefaultCIDRValue, consts.DefaultCIDRValue),
+				fmt.Sprintf("RemoteNATExternalCIDR != %s, RemoteNATPodCIDR != %s, LocalNATPodCIDR != %s", consts.DefaultCIDRValue,
+					consts.DefaultCIDRValue, consts.DefaultCIDRValue),
 				func() {},
 				func() []string {
 					return []string{
 						fmt.Sprintf("-s %s -d %s -j %s --to %s", tep.Status.LocalPodCIDR, tep.Status.RemoteNATPodCIDR, NETMAP, tep.Status.LocalNATPodCIDR),
-						fmt.Sprintf("! -s %s -d %s -j %s --to-source %s", tep.Status.LocalPodCIDR, tep.Status.RemoteNATPodCIDR, SNAT, mustGetFirstIP(tep.Status.LocalNATPodCIDR)),
+						fmt.Sprintf("! -s %s -d %s -j %s --to-source %s", tep.Status.LocalPodCIDR, tep.Status.RemoteNATPodCIDR,
+							SNAT, mustGetFirstIP(tep.Status.LocalNATPodCIDR)),
+						fmt.Sprintf("! -s %s -d %s -j %s --to-source %s", tep.Status.LocalPodCIDR, tep.Status.RemoteNATExternalCIDR,
+							SNAT, mustGetFirstIP(tep.Status.LocalNATPodCIDR)),
 					}
 				},
 			),
 			Entry(
-				fmt.Sprintf("RemoteNATPodCIDR != %s, LocalNATPodCIDR = %s", consts.DefaultCIDRValue, consts.DefaultCIDRValue),
+				fmt.Sprintf("RemoteNATExternalCIDR != %s, RemoteNATPodCIDR != %s, LocalNATPodCIDR = %s", consts.DefaultCIDRValue,
+					consts.DefaultCIDRValue, consts.DefaultCIDRValue),
 				func() { tep.Status.LocalNATPodCIDR = consts.DefaultCIDRValue },
 				func() []string {
-					return []string{fmt.Sprintf("! -s %s -d %s -j %s --to-source %s", tep.Status.LocalPodCIDR, tep.Status.RemoteNATPodCIDR, SNAT, mustGetFirstIP(tep.Status.LocalPodCIDR))}
+					return []string{fmt.Sprintf("! -s %s -d %s -j %s --to-source %s", tep.Status.LocalPodCIDR, tep.Status.RemoteNATPodCIDR,
+						SNAT, mustGetFirstIP(tep.Status.LocalPodCIDR)),
+						fmt.Sprintf("! -s %s -d %s -j %s --to-source %s", tep.Status.LocalPodCIDR, tep.Status.RemoteNATExternalCIDR,
+							SNAT, mustGetFirstIP(tep.Status.LocalPodCIDR))}
 				},
 			),
 			Entry(
-				fmt.Sprintf("RemoteNATPodCIDR = %s, LocalNATPodCIDR != %s", consts.DefaultCIDRValue, consts.DefaultCIDRValue),
+				fmt.Sprintf("RemoteNATExternalCIDR != %s, RemoteNATPodCIDR = %s, LocalNATPodCIDR != %s", consts.DefaultCIDRValue,
+					consts.DefaultCIDRValue, consts.DefaultCIDRValue),
 				func() { tep.Status.RemoteNATPodCIDR = consts.DefaultCIDRValue },
 				func() []string {
 					return []string{
 						fmt.Sprintf("-s %s -d %s -j %s --to %s", tep.Status.LocalPodCIDR, tep.Spec.PodCIDR, NETMAP, tep.Status.LocalNATPodCIDR),
-						fmt.Sprintf("! -s %s -d %s -j %s --to-source %s", tep.Status.LocalPodCIDR, tep.Spec.PodCIDR, SNAT, mustGetFirstIP(tep.Status.LocalNATPodCIDR)),
+						fmt.Sprintf("! -s %s -d %s -j %s --to-source %s", tep.Status.LocalPodCIDR, tep.Spec.PodCIDR,
+							SNAT, mustGetFirstIP(tep.Status.LocalNATPodCIDR)),
+						fmt.Sprintf("! -s %s -d %s -j %s --to-source %s", tep.Status.LocalPodCIDR, tep.Status.RemoteNATExternalCIDR,
+							SNAT, mustGetFirstIP(tep.Status.LocalNATPodCIDR)),
+					}
+				},
+			),
+			Entry(fmt.Sprintf("RemoteNATExternalCIDR != %s, RemoteNATPodCIDR = %s, LocalNATPodCIDR = %s", consts.DefaultCIDRValue,
+				consts.DefaultCIDRValue, consts.DefaultCIDRValue),
+				func() {
+					tep.Status.RemoteNATPodCIDR = consts.DefaultCIDRValue
+					tep.Status.LocalNATPodCIDR = consts.DefaultCIDRValue
+				},
+				func() []string {
+					return []string{fmt.Sprintf("! -s %s -d %s -j %s --to-source %s", tep.Status.LocalPodCIDR, tep.Spec.PodCIDR,
+						SNAT, mustGetFirstIP(tep.Status.LocalPodCIDR)),
+						fmt.Sprintf("! -s %s -d %s -j %s --to-source %s", tep.Status.LocalPodCIDR, tep.Status.RemoteNATExternalCIDR,
+							SNAT, mustGetFirstIP(tep.Status.LocalPodCIDR))}
+				},
+			),
+			Entry(
+				fmt.Sprintf("RemoteNATExternalCIDR = %s, RemoteNATPodCIDR != %s, LocalNATPodCIDR != %s", consts.DefaultCIDRValue,
+					consts.DefaultCIDRValue, consts.DefaultCIDRValue),
+				func() { tep.Status.RemoteNATExternalCIDR = consts.DefaultCIDRValue },
+				func() []string {
+					return []string{
+						fmt.Sprintf("-s %s -d %s -j %s --to %s", tep.Status.LocalPodCIDR, tep.Status.RemoteNATPodCIDR, NETMAP, tep.Status.LocalNATPodCIDR),
+						fmt.Sprintf("! -s %s -d %s -j %s --to-source %s", tep.Status.LocalPodCIDR, tep.Status.RemoteNATPodCIDR,
+							SNAT, mustGetFirstIP(tep.Status.LocalNATPodCIDR)),
+						fmt.Sprintf("! -s %s -d %s -j %s --to-source %s", tep.Status.LocalPodCIDR, tep.Spec.ExternalCIDR,
+							SNAT, mustGetFirstIP(tep.Status.LocalNATPodCIDR)),
+					}
+				},
+			),
+			Entry(
+				fmt.Sprintf("RemoteNATExternalCIDR = %s, RemoteNATPodCIDR != %s, LocalNATPodCIDR = %s", consts.DefaultCIDRValue,
+					consts.DefaultCIDRValue, consts.DefaultCIDRValue),
+				func() {
+					tep.Status.LocalNATPodCIDR = consts.DefaultCIDRValue
+					tep.Status.RemoteNATExternalCIDR = consts.DefaultCIDRValue
+				},
+				func() []string {
+					return []string{fmt.Sprintf("! -s %s -d %s -j %s --to-source %s", tep.Status.LocalPodCIDR, tep.Status.RemoteNATPodCIDR,
+						SNAT, mustGetFirstIP(tep.Status.LocalPodCIDR)),
+						fmt.Sprintf("! -s %s -d %s -j %s --to-source %s", tep.Status.LocalPodCIDR, tep.Spec.ExternalCIDR,
+							SNAT, mustGetFirstIP(tep.Status.LocalPodCIDR))}
+				},
+			),
+			Entry(
+				fmt.Sprintf("RemoteNATExternalCIDR = %s, RemoteNATPodCIDR = %s, LocalNATPodCIDR != %s", consts.DefaultCIDRValue,
+					consts.DefaultCIDRValue, consts.DefaultCIDRValue),
+				func() {
+					tep.Status.RemoteNATPodCIDR = consts.DefaultCIDRValue
+					tep.Status.RemoteNATExternalCIDR = consts.DefaultCIDRValue
+				},
+				func() []string {
+					return []string{
+						fmt.Sprintf("-s %s -d %s -j %s --to %s", tep.Status.LocalPodCIDR, tep.Spec.PodCIDR, NETMAP, tep.Status.LocalNATPodCIDR),
+						fmt.Sprintf("! -s %s -d %s -j %s --to-source %s", tep.Status.LocalPodCIDR, tep.Spec.PodCIDR,
+							SNAT, mustGetFirstIP(tep.Status.LocalNATPodCIDR)),
+						fmt.Sprintf("! -s %s -d %s -j %s --to-source %s", tep.Status.LocalPodCIDR, tep.Spec.ExternalCIDR,
+							SNAT, mustGetFirstIP(tep.Status.LocalNATPodCIDR)),
 					}
 				},
 			),
-			Entry(fmt.Sprintf("RemoteNATPodCIDR = %s, LocalNATPodCIDR = %s", consts.DefaultCIDRValue, consts.DefaultCIDRValue),
+			Entry(fmt.Sprintf("RemoteNATExternalCIDR = %s, RemoteNATPodCIDR = %s, LocalNATPodCIDR = %s", consts.DefaultCIDRValue,
+				consts.DefaultCIDRValue, consts.DefaultCIDRValue),
 				func() {
 					tep.Status.RemoteNATPodCIDR = consts.DefaultCIDRValue
 					tep.Status.LocalNATPodCIDR = consts.DefaultCIDRValue
+					tep.Status.RemoteNATExternalCIDR = consts.DefaultCIDRValue
 				},
 				func() []string {
-					return []string{fmt.Sprintf("! -s %s -d %s -j %s --to-source %s", tep.Status.LocalPodCIDR, tep.Spec.PodCIDR, SNAT, mustGetFirstIP(tep.Status.LocalPodCIDR))}
+					return []string{fmt.Sprintf("! -s %s -d %s -j %s --to-source %s", tep.Status.LocalPodCIDR, tep.Spec.PodCIDR,
+						SNAT, mustGetFirstIP(tep.Status.LocalPodCIDR)),
+						fmt.Sprintf("! -s %s -d %s -j %s --to-source %s", tep.Status.LocalPodCIDR, tep.Spec.ExternalCIDR,
+							SNAT, mustGetFirstIP(tep.Status.LocalPodCIDR))}
 				},
 			),
 		)

diff --git a/pkg/liqonet/routing/common.go b/pkg/liqonet/routing/common.go
@@ -210,22 +210,23 @@ func flushRulesForRoutingTable(routingTableID int) error {
 	return nil
 }
 
-func getRouteConfig(tep *v1alpha1.TunnelEndpoint, podIP string) (dstNet, gatewayIP string, iFaceIndex int, err error) {
-	_, dstNet = utils.GetPodCIDRS(tep)
+func getRouteConfig(tep *v1alpha1.TunnelEndpoint, podIP string) (dstPodCIDRNet, dstExternalCIDRNet, gatewayIP string, iFaceIndex int, err error) {
+	_, dstPodCIDRNet = utils.GetPodCIDRS(tep)
+	_, dstExternalCIDRNet = utils.GetExternalCIDRS(tep)
 	// Check if we are running on the same host as the gateway pod.
 	if tep.Status.GatewayIP != podIP {
 		// If the pod is not running on the same host then set the IP address of the Gateway as next hop.
 		gatewayIP = tep.Status.GatewayIP
 		// Get the iFace index for the IP address of the Gateway pod.
 		iFaceIndex, err = getIFaceIndexForIP(gatewayIP)
 		if err != nil {
-			return dstNet, gatewayIP, iFaceIndex, err
+			return dstPodCIDRNet, dstExternalCIDRNet, gatewayIP, iFaceIndex, err
 		}
 	} else {
 		// Running on the same host as the Gateway then set the index of the veth device living on the same network namespace.
 		iFaceIndex = tep.Status.VethIFaceIndex
 	}
-	return dstNet, gatewayIP, iFaceIndex, err
+	return dstPodCIDRNet, dstExternalCIDRNet, gatewayIP, iFaceIndex, err
 }
 
 func getIFaceIndexForIP(ipAddress string) (int, error) {