Oh, that's the part I was missing. Source-based routing is not a normal part of any standard IP stack. I'm not even sure if it's available on commercial-grade routers by default. It goes against the IP specification. If it's not part of the NAT module for Linux, it's another addition beyond the normal IP stack. That said, I suppose if you have it set up to route all packets from an IP address out of the external interface, of course it's going to go out fo the external interface. You need a rule that would take precedence. I don't know how the source-based routing works under Linux, but see if you can get it to apply only for the default destination route so that any static routes you have (like your directly-connected 10.whatever network) will take predecence in the routing table. It's bound to interact with the normal priority roung system in some way.

In fact, you shouldn't have to do that source-based routing except for that your ISPs (or theirs) have intentionally broken open routing by denying packets whose source addresses aren't in their whitelist.

I suppose it's hard to say which of these things is the most broken.