diff --git a/pkg/controllers/proxy/network_services_controller.go b/pkg/controllers/proxy/network_services_controller.go
index 3173c21dd..039c92d0b 100644
--- a/pkg/controllers/proxy/network_services_controller.go
+++ b/pkg/controllers/proxy/network_services_controller.go
@@ -289,6 +289,20 @@ func (nsc *NetworkServicesController) Run(healthChan chan<- *healthcheck.Control
 	// https://github.com/kubernetes/kubernetes/pull/70530/files
 	setSysCtlAndCheckError(utils.IPv4ConfAllArpAnnounce, arpAnnounceUseBestLocalAddress)
 
+	// Ensure rp_filter=2 for DSR capability, see:
+	// * https://access.redhat.com/solutions/53031
+	// * https://github.com/cloudnativelabs/kube-router/pull/1651#issuecomment-2072851683
+	if nsc.isIPv4Capable {
+		sysctlErr := utils.SetSysctlSingleTemplate(utils.IPv4ConfRPFilterTemplate, "all", 2)
+		if sysctlErr != nil {
+			if sysctlErr.IsFatal() {
+				klog.Fatal(sysctlErr.Error())
+			} else {
+				klog.Error(sysctlErr.Error())
+			}
+		}
+	}
+
 	// https://github.com/cloudnativelabs/kube-router/issues/282
 	err = nsc.setupIpvsFirewall()
 	if err != nil {
diff --git a/pkg/controllers/proxy/service_endpoints_sync.go b/pkg/controllers/proxy/service_endpoints_sync.go
index 057469bc8..0d3ecf591 100644
--- a/pkg/controllers/proxy/service_endpoints_sync.go
+++ b/pkg/controllers/proxy/service_endpoints_sync.go
@@ -476,7 +476,7 @@ func (nsc *NetworkServicesController) setupExternalIPForDSRService(svc *serviceI
 
 	dummyVipInterface, err := nsc.ln.getKubeDummyInterface()
 	if err != nil {
-		return errors.New("Failed creating dummy interface: " + err.Error())
+		return errors.New("Failed getting dummy interface: " + err.Error())
 	}
 
 	ipvsSvcs, err := nsc.ln.ipvsGetServices()
@@ -564,9 +564,13 @@ func (nsc *NetworkServicesController) setupExternalIPForDSRService(svc *serviceI
 				endpoint.ip, externalIP, err)
 		}
 
-		// add the external IP to a virtual interface inside the pod so that the pod can receive it
-		if err = nsc.addDSRIPInsidePodNetNamespace(externalIP.String(), endpoint.ip); err != nil {
-			return fmt.Errorf("unable to setup DSR receiver inside pod: %v", err)
+		// It's only for local endpoints that we can enter the container's namespace and add DSR receivers inside it.
+		// If we aren't local, then we should skip this step so that we don't accidentally throw an error.
+		if endpoint.isLocal {
+			// add the external IP to a virtual interface inside the pod so that the pod can receive it
+			if err = nsc.addDSRIPInsidePodNetNamespace(externalIP.String(), endpoint.ip); err != nil {
+				return fmt.Errorf("unable to setup DSR receiver inside pod: %v", err)
+			}
 		}
 
 		svcEndpointMap[externalIPServiceID] = append(svcEndpointMap[externalIPServiceID],