diff --git a/felix/bpf-gpl/tc.c b/felix/bpf-gpl/tc.c
index 70d4b056f2d..0640d538756 100644
--- a/felix/bpf-gpl/tc.c
+++ b/felix/bpf-gpl/tc.c
@@ -445,7 +445,12 @@ static CALI_BPF_INLINE void calico_tc_process_ct_lookup(struct cali_tc_ctx *ctx)
 
 		// Check whether the workload needs outgoing NAT to this address.
 		if (r->flags & CALI_RT_NAT_OUT) {
-			if (!(cali_rt_lookup_flags(&ctx->state->post_nat_ip_dst) & CALI_RT_IN_POOL)) {
+			struct cali_rt *rt = cali_rt_lookup(&ctx->state->post_nat_ip_dst);
+			enum cali_rt_flags flags = CALI_RT_UNKNOWN;
+			if (rt) {
+				flags = rt->flags;
+			}
+			if (!(flags & CALI_RT_IN_POOL) && !cali_rt_flags_local_host(flags)) {
 				CALI_DEBUG("Source is in NAT-outgoing pool "
 					   "but dest is not, need to SNAT.\n");
 				ctx->state->flags |= CALI_ST_NAT_OUTGOING;
diff --git a/felix/fv/bpf_test.go b/felix/fv/bpf_test.go
index 4ea6225ddfa..eacddee2631 100644
--- a/felix/fv/bpf_test.go
+++ b/felix/fv/bpf_test.go
@@ -375,6 +375,8 @@ func describeBPFTests(opts ...bpfTestOpt) bool {
 			if testOpts.dsr {
 				options.ExtraEnvVars["FELIX_BPFExternalServiceMode"] = "dsr"
 			}
+			// ACCEPT is what is set by our manifests and operator by default.
+			options.ExtraEnvVars["FELIX_DefaultEndpointToHostAction"] = "ACCEPT"
 			options.ExternalIPs = true
 			options.ExtraEnvVars["FELIX_BPFExtToServiceConnmark"] = "0x80"
 			if !testOpts.ipv6 {
@@ -1479,6 +1481,7 @@ func describeBPFTests(opts ...bpfTestOpt) bool {
 					It("should handle NAT outgoing", func() {
 						By("SNATting outgoing traffic with the flag set")
 						cc.ExpectSNAT(w[0][0], felixIP(0), hostW[1])
+						cc.Expect(Some, w[0][0], hostW[0]) // no snat
 						cc.CheckConnectivity(conntrackChecks(tc.Felixes)...)
 
 						if testOpts.tunnel == "none" {