diff --git a/net/bridge.go b/net/bridge.go
index e6fb747c7f..d9a33c8ac7 100644
--- a/net/bridge.go
+++ b/net/bridge.go
@@ -602,7 +602,7 @@ func reexpose(config *BridgeConfig, log *logrus.Logger) error {
 
 	for _, addr := range addrs {
 		log.Infof("Re-exposing %s on bridge %q", addr.IPNet, config.WeaveBridgeName)
-		if err := Expose(config.WeaveBridgeName, addr.IPNet, config.AWSVPC, config.NPC); err != nil {
+		if err := Expose(config.WeaveBridgeName, addr.IPNet, config.AWSVPC, config.NPC, false); err != nil {
 			return errors.Wrapf(err, "unable to re-expose %s on bridge: %q", addr.IPNet, config.WeaveBridgeName)
 		}
 	}
diff --git a/net/expose.go b/net/expose.go
index 97edecbf7e..76ba41a1d6 100644
--- a/net/expose.go
+++ b/net/expose.go
@@ -18,7 +18,8 @@ import (
 // * "ipAddr" - IP addr to be assigned to the bridge.
 // * "removeDefaultRoute" - whether to remove a default route installed by the kernel (used only in the AWSVPC mode).
 // * "npc" - whether is Weave NPC running.
-func Expose(bridgeName string, ipAddr *net.IPNet, removeDefaultRoute, npc bool) error {
+// * "skipNAT" - whether to skip adding iptables NAT rules
+func Expose(bridgeName string, ipAddr *net.IPNet, removeDefaultRoute, npc bool, skipNAT bool) error {
 	ipt, err := iptables.New()
 	if err != nil {
 		return errors.Wrap(err, "iptables.New")
@@ -29,8 +30,10 @@ func Expose(bridgeName string, ipAddr *net.IPNet, removeDefaultRoute, npc bool)
 		return errors.Wrap(err, "addBridgeIPAddr")
 	}
 
-	if err := exposeNAT(ipt, cidr); err != nil {
-		return errors.Wrap(err, "exposeNAT")
+	if !skipNAT {
+		if err := exposeNAT(ipt, cidr); err != nil {
+			return errors.Wrap(err, "exposeNAT")
+		}
 	}
 
 	if !npc {
diff --git a/prog/weaver/main.go b/prog/weaver/main.go
index 79c1b65a67..22e0ca232a 100644
--- a/prog/weaver/main.go
+++ b/prog/weaver/main.go
@@ -513,7 +513,7 @@ func exposeForAWSVPC(alloc *ipam.Allocator, subnet address.CIDR, bridgeName stri
 	addr, err := alloc.Allocate("weave:expose", subnet, false, func() bool { return false })
 	checkFatal(err)
 	cidr := address.MakeCIDR(subnet, addr)
-	err = weavenet.Expose(bridgeName, cidr.IPNet(), true, false)
+	err = weavenet.Expose(bridgeName, cidr.IPNet(), true, false, false)
 	checkFatal(err)
 	Log.Printf("Bridge %q exposed on address %v", bridgeName, cidr)
 	ready()
diff --git a/router/http.go b/router/http.go
index 88e66ca276..0f01495661 100644
--- a/router/http.go
+++ b/router/http.go
@@ -3,6 +3,7 @@ package router
 import (
 	"fmt"
 	"net/http"
+	"strconv"
 
 	"github.com/gorilla/mux"
 
@@ -37,7 +38,14 @@ func (router *NetworkRouter) HandleHTTP(muxRouter *mux.Router) {
 			return
 		}
 
-		if err = net.Expose(router.BridgeConfig.WeaveBridgeName, cidr.IPNet(), router.BridgeConfig.AWSVPC, router.BridgeConfig.NPC); err != nil {
+		var skipNAT bool
+		if r.FormValue("skipNAT") != "" {
+			if skipNAT, err = strconv.ParseBool(r.FormValue("skipNAT")); err != nil {
+				http.Error(w, fmt.Sprint("unable to parse skipNAT option: ", err.Error()), http.StatusBadRequest)
+			}
+		}
+
+		if err = net.Expose(router.BridgeConfig.WeaveBridgeName, cidr.IPNet(), router.BridgeConfig.AWSVPC, router.BridgeConfig.NPC, skipNAT); err != nil {
 			http.Error(w, fmt.Sprint("unable to expose: ", err.Error()), http.StatusInternalServerError)
 			return
 		}
diff --git a/weave b/weave
index ad7d416756..a8463ffc77 100755
--- a/weave
+++ b/weave
@@ -69,7 +69,7 @@ weave attach        [--without-dns] [--rewrite-hosts] [--no-multicast-route]
                       [<addr> ...] <container_id>
       detach        [<addr> ...] <container_id>
 
-weave expose        [<addr> ...] [-h <fqdn>]
+weave expose        [<addr> ...] [-h <fqdn>] [--without-masquerade]
       hide          [<addr> ...]
 
 weave dns-add       [<ip_address> ...] <container_id> [-h <fqdn>] |
@@ -430,9 +430,10 @@ EOF
 }
 
 expose_ip() {
+    [ -z $WITHOUT_MASQUERADE ] || skipNAT="?skipNAT=true"
     ipam_cidrs allocate_no_check_alive weave:expose $CIDR_ARGS
     for CIDR in $ALL_CIDRS ; do
-        call_weave "POST" "/expose/$CIDR"
+        call_weave "POST" "/expose/$CIDR$skipNAT"
 
         [ -z "$FQDN" ] || when_weave_running put_dns_fqdn_no_check_alive weave:expose $FQDN $CIDR
     done
@@ -1475,14 +1476,25 @@ case "$COMMAND" in
         dig @$DOCKER_BRIDGE_IP +short $1
         ;;
     expose)
+        WITHOUT_MASQUERADE=
+        FQDN=
         collect_cidr_args "$@"
         shift $CIDR_ARG_COUNT
-        if [ $# -eq 0 ] ; then
-            FQDN=""
-        else
-            [ $# -eq 2 -a "$1" = "-h" ] || usage
-            FQDN="$2"
-        fi
+        while [ $# -gt 0 ]; do
+            case "$1" in
+                -h)
+                    [ -z $FQDN ] && FQDN=$2 && shift || usage
+                    ;;
+                --without-masquerade)
+                    WITHOUT_MASQUERADE=1
+                    ;;
+                *)
+                    break
+                    ;;
+            esac
+            shift
+        done
+        [ $# -eq 0 ] || usage
         expose_ip
         show_addrs $ALL_CIDRS
         ;;