Feature #14666
open
Option to add automatic pass rules for IGMP Proxy which allow IP options
0%
Description
Users frequently get tripped up by IGMP not receiving traffic because by default, firewall rules do not allow packets with IP options set.
This behavior is already noted in the documentation: https://docs.netgate.com/pfsense/en/latest/services/igmp-proxy.html#igmp-proxy
It might be more user-friendly to have an option with IGMP Proxy to automatically add pass rules on downstream interfaces which pass packets that have IP options set.
This should be off by default (opt-in), but the behavior could be handled a couple different ways:
1. A dedicated "hidden" automatic rule at the top of each downstream interface which passes these packets (risky)
2. Automatically allow IP Options on any pass rule on a downstream interface (safer)
3. Some other behavior that might be more desirable (make rule entries the user can edit? Automatic rules that match other pass rules? Something else entirely?)
Updated by Kristof Provost 9 months ago
I'd suggest a (default on, because it's basically required for it to work anyway) checkbox to create automagic rules along the lines of `pass in quick on { $downstream_if } proto igmp allow-opts`. That's pretty contained to exactly what igmpproxy needs.