FreeBSD IP aliases in different subnets and default outgoing IP address

I have a FreeBSD VPS that until recently had assigned 3 public ip addresses in a /29 subnet. When making outgoing connections, the IP address used was always the non aliased one ".20", however now I have added another block of 3 ip addresses in a different /29 subnet and the outgoing IP changed to ".44".

Below are the rc.conf settings before and after adding the second subnet aliases.

Before:

ifconfig_em0="inet 70.70.70.20 netmask 255.255.255.248"
ifconfig_em0_alias0="inet 70.70.70.21 netmask 255.255.255.248"
ifconfig_em0_alias1="inet 70.70.70.22 netmask 255.255.255.248"
defaultrouter="70.70.70.17"

Now:

ifconfig_em0="inet 70.70.70.20 netmask 255.255.255.248"
ifconfig_em0_alias0="inet 70.70.70.21 netmask 255.255.255.248"
ifconfig_em0_alias1="inet 70.70.70.22 netmask 255.255.255.248"
ifconfig_em0_alias2="inet 60.60.60.44 netmask 255.255.255.248"
ifconfig_em0_alias3="inet 60.60.60.45 netmask 255.255.255.248"
ifconfig_em0_alias4="inet 60.60.60.46 netmask 255.255.255.248"
defaultrouter="70.70.70.17"

Reading the manual entry for ifconfig I'm not sure of the correct netmask for the aliases. The manual entry says:

alias   Establish an additional network address for this interface.  This
        is sometimes useful when changing network numbers, and one wishes
        to accept packets addressed to the old interface.  If the address
        is on the same subnet as the first network address for this
        interface, a non-conflicting netmask must be given.  Usually
        0xffffffff is most appropriate.

Question 1: Would this be the correct configuration? (notice alias2)

ifconfig_em0="inet 70.70.70.20 netmask 255.255.255.248"
ifconfig_em0_alias0="inet 70.70.70.21 netmask 255.255.255.255"
ifconfig_em0_alias1="inet 70.70.70.22 netmask 255.255.255.255"
ifconfig_em0_alias2="inet 60.60.60.44 netmask 255.255.255.248"
ifconfig_em0_alias3="inet 60.60.60.45 netmask 255.255.255.255"
ifconfig_em0_alias4="inet 60.60.60.46 netmask 255.255.255.255"
defaultrouter="70.70.70.17"

When I tried this approach, the default outgoing IP address changed to ".46".

Question 2: How can I define the default IP address used for outgoing connections, if for example I want that to be 70.70.70.21?

Below are the routing tables and interface info:

Routing Tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            70.70.70.17        UGS         0  2000863    em0
60.60.60.40/29     link#1             U           0       12    em0
60.60.60.44        link#1             UHS         0    18291    lo0
60.60.60.45        link#1             UHS         0        0    lo0
60.60.60.46        link#1             UHS         0        5    lo0
70.70.70.16/29     link#1             U           0        0    em0
70.70.70.20        link#1             UHS         0        6    lo0
70.70.70.21        link#1             UHS         0        0    lo0
70.70.70.22        link#1             UHS         0        0    lo0
127.0.0.1          link#3             UH          0      203    lo0

Routing Tables (with netmask .255)

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            70.70.70.17        UGS         0  2015436    em0
60.60.60.40/29     link#1             U           0       12    em0
60.60.60.44        link#1             UHS         0    18295    lo0
60.60.60.45        link#1             UHS         0        0    lo0 =>
60.60.60.45/32     link#1             U           0        0    em0
60.60.60.46        link#1             UHS         0        9    lo0 =>
60.60.60.46/32     link#1             U           0        0    em0
70.70.70.16/29     link#1             U           0        0    em0
70.70.70.20        link#1             UHS         0        6    lo0
70.70.70.21        link#1             UHS         0        0    lo0 =>
70.70.70.21/32     link#1             U           0        0    em0
70.70.70.22        link#1             UHS         0        0    lo0 =>
70.70.70.22/32     link#1             U           0        0    em0
127.0.0.1          link#3             UH          0      205    lo0

ifconfig em0

em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
        ether 00:11:22:33:44:55
        inet 70.70.70.20 netmask 0xfffffff8 broadcast 70.70.70.23
        inet 70.70.70.21 netmask 0xfffffff8 broadcast 70.70.70.23
        inet 70.70.70.22 netmask 0xfffffff8 broadcast 70.70.70.23
        inet 60.60.60.44 netmask 0xfffffff8 broadcast 60.60.60.47
        inet 60.60.60.45 netmask 0xfffffff8 broadcast 60.60.60.47
        inet 60.60.60.46 netmask 0xfffffff8 broadcast 60.60.60.47
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active

ifconfig em0 (with netmask .255)

em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
        ether 00:11:22:33:44:55
        inet 70.70.70.20 netmask 0xfffffff8 broadcast 70.70.70.23
        inet 60.60.60.44 netmask 0xfffffff8 broadcast 60.60.60.47
        inet 70.70.70.21 netmask 0xffffffff broadcast 70.70.70.21
        inet 70.70.70.22 netmask 0xffffffff broadcast 70.70.70.22
        inet 60.60.60.45 netmask 0xffffffff broadcast 60.60.60.45
        inet 60.60.60.46 netmask 0xffffffff broadcast 60.60.60.46
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active

ipfw

00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 deny tcp from any to any frag
00500 check-state
00600 allow tcp from any to any established
00700 allow ip from any to any out keep-state
00800 allow icmp from any to any
00900 allow tcp from any to any dst-port 80,443 in
01200 allow tcp from any to any dst-port 20-22,25,80,443 out
01300 allow udp from any to any dst-port 53 out
65535 deny ip from any to any

Thanks in advance for any hints! :)


Solution 1:

All aliases within an existing range should have a /32 (255.255.255.255) network mask. So this example you gave is correct --

ifconfig_em0="inet 70.70.70.20 netmask 255.255.255.248"
ifconfig_em0_alias0="inet 70.70.70.21 netmask 255.255.255.255"
ifconfig_em0_alias1="inet 70.70.70.22 netmask 255.255.255.255"
ifconfig_em0_alias2="inet 60.60.60.44 netmask 255.255.255.248"
ifconfig_em0_alias3="inet 60.60.60.45 netmask 255.255.255.255"
ifconfig_em0_alias4="inet 60.60.60.46 netmask 255.255.255.255"
defaultrouter="70.70.70.17"

That should see 70.70.70.20 being used for normal outbound traffic. You can't define it, but rather it will always use the main IP on the card, and the first IP in a new subnet set of aliases.

For the purpose of testing though, there are a bunch of tools that will allow a source option. For example "ping -S 70.70.70.22 x.x.x.x", telnet also does etc.