Cory,
I see it this way:
- 44 hosts should communicate only with other 44 hosts via tunnels
- to communicate with the internet as originating hosts, they shall use ISP_GW's public IP using masquerade. It makes no sense to add load to ampr-gw unless you really need to land in the internet with a 44 address instead of your GW_IP. Why does this bother you? Google and Facebook doesn't care. And the BGP routed subnets can not be reached this way.
- incoming connections from the internet to 44 come via ampr-gw IPIP and MUST be replied the same way (via IPIP to ampr-gw - if you really want access from the public internet to your 44 IP)
- BGP announced hosts will be reached via NAT/masquerade on the ISP_GW (there's no other way at the moment, unless you're also BGP announced)
- local LAN hosts will reach the internet via NAT/masquerade on the ISP_GW
- local LAN hosts can reach 44 nets if there is a device in the way (router) that can masquerade the local IPs to a 44 net (I would not recommend that).
- YourGWHost -> BGP-only44Net = Should be treated like any other internet
destination and egress the ISP interface; This doesn't work because of the arbitrary "to 44/8 use table 44" rule that doesn't seem to have a valid reason for existing.
It has a valid reason. You still need your 'to 44.0.0.0/8 use table 44' for 44 targets to be dispatched by table 44. What you don't need is the default route in table 44 directing all unknown 44 traffic to the ampr-gw, which is the cause of this behavior. Not the rule, the route in table 44. And for your access from the internet you need a way to get 'from Assigned44LAN to ! 44.0.0.0/8' via the ampr-gw tunnel. One solution would be the one described 2 days earlier, a second custom routing table (for which I use the 'default' table).
Another possibility would be to drop the usage of table 44 and put all routes to table 'main'. Then the rules are not needed for 44/44 traffic. Only the part relating to the reply to incoming non-44 connections via ampr-gw, which need 2 rules to work.
Marius, YO2LOJ