Yes the separate clusters each have separate
NAT/firewalls protecting them.
Again, I am not going to be able to convince the people
donating that bandwidth to set our internal ip on their
network as a DMZ host.
I plan to write about it, if I ever figure out how to punch a
two way tunnel from me (a place where I have control over such
things) to these places.
What I envision is from the rest of the amprnet,
44.92.21.0/24
comes here via an IPIP tunnel; and various smaller chunks /29 or
/28 go back out from here via some other capable tunnel to these
remote sites till we convince folks we need to get something up
on a decent tower.
It doesn't need to be encrypted or authenticated, whatever
is easiest and will do the job.