pfSense

When negate_networks is empty, is effectively behaves the same as any. In cases where the negate_networks table ends up empty, policy routing rules will not work due to the automatic NEGATE_ROUTE rule above it catching all traffic.

Examples of when this can happen are:

• Using an OpenVPN client without specifying a tunnel network with an interface assigned for use in policy routing
• A second WAN for use in policy routing

Using the second example as a test, this leads to the ruleset:

table <negate_networks>
[...]
pass  in  quick  on $LAN inet proto tcp  from any  to <negate_networks> ridentifier 10000001 flags S/SA keep state  label "id:1649718619"  label "gw:WAN2GW"  label "NEGATE_ROUTE: Negate policy routing for destination" 
pass  in  quick  on $LAN  $GWWAN2GW inet proto tcp  from any to any ridentifier 1649718619 flags S/SA keep state  label "id:1649718619"  label "gw:WAN2GW"  label "USER_RULE" 

With this, traffic ends up matching the NEGATE_ROUTE rule and is routed through WAN1GW rather than WAN2GW.
Tested on 22.01 and 22.05.a.20220410.0600.