Den ons 2 apr. 2025 kl 19:58 skrev otto.cooper <otto.coo...@proton.me>: > On Wednesday, April 2nd, 2025 at 5:50 PM, Claudio Jeker > <cje...@diehard.n-r-g.com> wrote: > > As long as the default route points to ix0 the egress will be in ix0. > > This is what I want to understand. Physically, the default route is the > gateway. I am in the firewall, trying to configure a specific interface, to > point at the gateway. In my mind, the interface points at the default route, > not the way around.
The default route is given by an ip, then the kernel looks up which interface contains the network for which the box can reach this ip in a single hop. If it can, the route is now shown to be over this interface, and that interface joins the egress interface group. If it can't find such an interface, the default route is not set and no interface joins the egress group. So there is three entities here, not just "interface points at the default route, not the way around". You have an ip for which you state that when you send traffic that is meant to go past any of your locally attached networks, for which no other specific route exist, then this ip will forward it to the destination for you. You also have one or more interfaces on the box, each with networks set on them of various sizes given by their netmasks all of these networks are meant to be reachable without hops and routing. Thirdly, you have a local routing table onto which you add a default route (or two with ipv6) by saying "if there is no other more specific route than /0 and its not a locally attached network, then send it to the def-gw (entity one) and it will work out". This default route will then look up its network list and see which interface has such a network defined so that we may talk to the def-gw directly, and if such an interface is found, it joins egress and this entry is entered into the local routing table. My guess is that your confusion lies around the fact that after this has been done, it doesn't loop over more interfaces, or it doesn't run them in the order you would like, or it doesn't prefer em0 over ix0 or whatever, but at this point it has done what was asked of it when using the simplest default works-for-99.99%-of-all-boxes settings. So when you move outside of the trodden path, you need to start using more complex commands to specify how you go outside the normal usage, just like what you need to do with "route add ... -iface" to force the wrong interface because your normal settings are not covering an abnormal setup. As I've said before, if you want em0 to have an interface name that works for pf, then just invent a group name, set it on em0 and be done with it. You can choose to not care about egress, just like you can not care about wi0 joining the "wlan" interface group or fxp0 joining the netboot interface group if you netboot from it. If you have a square peg and a round hole, you might aswell just saw up a square hole to put it in. -- May the most significant bit of your life be positive.
