I’m setting up on 6.9-release a (for now) IPv4-only firewall with multiple public addresses and multiple subnets behind it, and have a couple of questions related to connections originating from the firewall itself to which I haven’t found definitive answers.

When not overridden (for example, by ‘ftp-proxy -a <adr>’) which of the public addresses will be chosen as the source address for connections to the Internet originating on the firewall? It would make sense to me for the one address not declared as an alias to always be chosen, but I haven’t found anything that states this to be true. I want to (for example) keep traffic from systems I control separate from that from the WiFi subnet (which I’ll NAT to a different public address).

I plan to use tags to control policy, initially tagging each new connection based mostly (but not entirely) on which interface it arrives through. But, unless I’m missing something, connections originating on the firewall can’t be tagged this way since they don’t arrive through any interface. Which also seems to mean that all policy decisions must be made outbound, since that’s the only time that connections originating on the firewall will pass through an interface. And I haven’t found any way of filtering on untagged connections (something like ‘! tagged any’ would be nice). I’m sure that my setup isn’t unique, so there must be a good way of dealing with this, but I’ve no idea what it might be. Suggestions, please!