That is right! Note that this config was constructed for an all-in-one system that functions as the IPIP tunnel host, as a host for running services on AMPRnet (potentially reachable from all internet addresses), as a host to make outgoing connections to other amprnet systems, and as a general work machine for the owner (to browse, mail etc). The same browser session would automatically use the tunnels to reach other systems on AMPRnet, but it would use the direct path via the ISP for google and youtube. Unfortunately this is not really practical. Sure you can set the source address on many common commandline utilities (like ping, telnet, traceroute, ftp) but not on many other networking programs like web browsers. Even an amateur radio oriented program like the Echolink client I use (QTEL) cannot set the source address. I made a request for enhancement for it, but that kind of thing had better be handled in a universal way. I have more or less done that already, as I now have a separate router between the host and the network, but even that does not solve this problem when that host again has to be on both networks. My main PC now has 2 addresses (each on a VLAN) to talk to the outside world, one is used (via NAT) to talk to internet, the other is 44.137.41.97 and is used when talking amprnet. But of course both can in fact communicate to any address, the decision which one to use is always a bit tricky. So my rule still is that "all traffic from my own subnet to anywhere, and all traffic from my hist to 44.0.0.0/8" is using the amprnet and goes out from 44.137.41.97 and without NAT, all other traffic is using the ISP internet and is NATted by the router. And again I have those "ip rules" in my system to achieve that: 0: from all lookup local 1: from all to 44.137.41.96/28 lookup main 44: from 44.137.41.96/28 lookup amprnet 44: from all to 44.0.0.0/8 lookup amprnet 32766: from all lookup main 32767: from all lookup default I am open to better solutions, as long as they are not "make sure that every program you use can bind an explicit local address". Of course now that I am behind a router the immediate problem of sending tunnel traffic to net-44 endpoints is no longer there, also because I am no longer directly on IPIP but only via our gateway, but still this source address selection issue remains. It may be that a suggestion I received from Jann can fully remedy the problem at least on a dedicated router/gateway. His approach is to make an unconditional rule that first sends the outgoing traffic through a table with only the IPIP tunnels. When that matches, the system will of course set the 44.x.x.x source address. Then, a rule follows that matches on "from 44.137.41.96/28" and refers to a table with only a default route pointing to the gateway (UCSD or another) that will forward the outside-44 traffic back to internet. Then finally everything else is looked up in the main routing table which has the default route going out via the ISP. I have not tested yet how well that works in practice. As mentioned, I no longer have the setup running that this config was originally created for. But it looks good. Rob