Hi guys. I've always try to leave as mush as possible to the kernel but here I had to resort to source/rule based routing and I wonder why. Any expert cared to share some light on what is (not)happening here HOME -- tunnel --> public iface SHED gw A iface; B iface <-- to respectively --> SOME box A iface; B iface HOME can get to both A & B ifaces, (which are different subnets) all the way up to the SOME box Now, a DIFFERENT box runs/is behind/on that SOME box, which connects to A iface & B iface respectively (which SOME's A & B ifaces are linux bridges) need - so it appears - manual rules in order to have HOME get to DIFFERENT's iface B with IPs: 10.3.9.0/24 -> tunnel -> SHED's 10.1.1.254 & 10.3.1.254 -> SOME's 10.1.1.99 & 10.3.1.99 - all good! ---||--- -> DIFFERENT's 10.1.1.50 - works ---||--- -> DIFFERENT's 10.3.1.50 - for this one I need to set rules (on DIFFERENT only) so HOME can get to it All boxes have METRICs set the same way: iface on 10.1.1.0/24 runs with 111 & on 10.3.1.0/24 runs with 113 metrics. So I must(?) use these, so HOME can get to DIFFERENT's both ifaces: -> $ ip ro ls table 113 default via 10.3.1.254 dev enp0s3 -> $ ip ro ls table 114 default via 10.1.1.254 dev enp0s10 & rules: 32764: from 10.3.1.0/24 to 10.3.9.0/24 lookup 113 32765: from 10.1.1.0/24 to 10.3.9.0/24 lookup 114 I'd prefer to not to use human-set rules but if not possible, I'll be happy with an explanation. many tanks, L.