diff --git a/akanda/router/drivers/iptables.py b/akanda/router/drivers/iptables.py
index 831c5d6..7e2935f 100755
--- a/akanda/router/drivers/iptables.py
+++ b/akanda/router/drivers/iptables.py
@@ -276,6 +276,14 @@ class IPTablesManager(base.Manager):
                     ), ip_version=4
                 ))
 
+        # Add a masquerade catch-all for VMs without floating IPs
+        ext_if = self.get_external_network(config).interface
+        rules.append(Rule(
+            '-A POSTROUTING -o %s -j MASQUERADE' % (
+                ext_if.ifname
+            ), ip_version=4
+        ))
+
         return rules
 
     def _build_floating_ips(self, config):
@@ -316,11 +324,7 @@ class IPTablesManager(base.Manager):
                             fip.fixed_ip
                         ), ip_version=4
                     ))
-        rules.append(Rule(
-            '-A POSTROUTING -o %s -j MASQUERADE' % (
-                ext_if.ifname
-            ), ip_version=4
-        ))
+
         return rules
 
     def _build_public_snat_chain(self, config):
diff --git a/test/unit/drivers/test_iptables.py b/test/unit/drivers/test_iptables.py
index 3e7765a..1511fab 100644
--- a/test/unit/drivers/test_iptables.py
+++ b/test/unit/drivers/test_iptables.py
@@ -182,9 +182,6 @@ class TestIPTablesConfiguration(TestCase):
         assert map(str, mgr._build_floating_ips(CONFIG)) == [
             '-A POSTROUTING -s 192.168.0.2 -j PUBLIC_SNAT',
             '-A PREROUTING -i eth1 -d 172.16.77.50 -j DNAT --to-destination 192.168.0.2',  # noqa
-            '-A PREROUTING -i eth2 -d 172.16.77.50 -j DNAT --to-destination 192.168.0.2',  # noqa
-            '-A POSTROUTING -o eth1 -j MASQUERADE' # noqa
-        ]
-        assert map(str, mgr._build_floating_ips(config)) == [
-            '-A POSTROUTING -o eth1 -j MASQUERADE' # noqa
+            '-A PREROUTING -i eth2 -d 172.16.77.50 -j DNAT --to-destination 192.168.0.2'  # noqa
         ]
+        assert mgr._build_floating_ips(config) == []