pfSense » pfSense Docs

This redmine serves as a reference for the behavior described below.

The firewall log can show dropped MLDv2 ICMPv6 packets with IP options; for example:

Apr 28 12:02:13 router filterlog[52662]: 4294967295,,,0,controltun0,ip-option,block,out,6,0x00,0x00000,1,Options,0,96,::,ff02::16,HBH,PADN,RTALERT,0x0000,

These packets cannot be allowed by any rule, including rules with allow-opts. The relevant RFC states the following:
https://datatracker.ietf.org/doc/html/rfc9777#name-source-addresses-for-report

An MLDv2 Report MUST be sent with a valid IPv6 link-local source address, or the unspecified address (::), if the sending interface has not acquired a valid link-local address yet. [...]
On the other hand, routers MUST silently discard a message that is not sent with a valid link-local address, without taking any action on the contents of the packet. Thus, a Report is discarded if the router cannot identify the source address of the packet as belonging to a link connected to the interface on which the packet was received. A Report sent with the unspecified address is also discarded by the router.

These packets with an unspecified address (::) are expected. The firewall log happens because the packets must be discarded and hence pf drops them before they have a chance to egress. The log preference at Status > System Logs > Settings > Packets blocked due to IP options can be used to silence these logs.