The default settings that kubeadm + calico use is to NAT any incoming connection that is not from a pod_ip.
I have calico publishing the service network to my outside LAN, and would rather the service pods utilize the actual client IPs and not a translated IP.
Specifically, it adds
-A KUBE-SERVICES ! -s 172.16.0.0/16 -d 172.20.160.251/32 -p tcp -m comment --comment "telemetry/pipeline-cdn:http cluster IP" -m tcp --dport 5000 -j KUBE-MARK-MASQ
to iptables.
Although this isn't an immediate concern, it does raise risk in the future for ephemeral port exhaustion, and general difficulty to trace connections, and log clients accessing my web services.