diff --git a/cluster/kube/lib/nginx.libsonnet b/cluster/kube/lib/nginx.libsonnet
index a871b96d..52ff93cf 100644
--- a/cluster/kube/lib/nginx.libsonnet
+++ b/cluster/kube/lib/nginx.libsonnet
@@ -142,6 +142,10 @@ local kube = import "../../../kube/kube.libsonnet";
             target_pod:: env.deployment.spec.template,
             spec+: {
                 type: "LoadBalancer",
+                // The nginx ingress instrance is single-instance and metallb l2 (which we run)
+                // does SNAT on 'Cluster', thereby losing the source IP address.
+                // See: https://metallb.universe.tf/usage/#cluster-traffic-policy
+                externalTrafficPolicy: "Local",
                 ports: [
                     { name: "ssh", port: 22, targetPort: 22, protocol: "TCP" },
                     { name: "http", port: 80, targetPort: 80, protocol: "TCP" },