Разрешить igmp

wassalam

При отключенном pf на WAN интерфейсе ходят

tcpdump -i ae0 -vvn igmp
tcpdump: listening on ae0, link-type EN10MB (Ethernet), capture size 96 bytes
19:41:42.431935 IP (tos 0x0, ttl 1, id 41457, offset 0, flags [none], proto IGMP (2), length 32, options (RA))
    1.1.1.2 > 233.3.1.138: igmp v2 report 233.3.1.138
19:41:42.431946 IP (tos 0xc0, ttl 1, id 12406, offset 0, flags [none], proto IGMP (2), length 40, options (RA))
    1.1.1.2 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 0.0.0.0 is_ex { }]
19:41:42.722032 IP (tos 0xc0, ttl 1, id 43324, offset 0, flags [none], proto IGMP (2), length 40, options (RA))
    1.1.1.2 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 0.0.0.0 is_ex { }]
19:41:42.722069 IP (tos 0xc0, ttl 1, id 38139, offset 0, flags [none], proto IGMP (2), length 32, options (RA))
    1.1.1.2 > 233.3.1.138: igmp v2 report 233.3.1.138
19:41:48.647184 IP (tos 0x0, ttl 1, id 28631, offset 0, flags [none], proto IGMP (2), length 32, options (RA))
    1.1.1.2 > 224.0.0.2: igmp leave 233.3.1.138
19:41:48.647205 IP (tos 0xc0, ttl 1, id 2551, offset 0, flags [none], proto IGMP (2), length 40, options (RA))
    1.1.1.2 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 0.0.0.0 is_ex { }] bad igmp cksum 0!
19:41:48.677939 IP (tos 0xc0, ttl 1, id 1802, offset 0, flags [none], proto IGMP (2), length 32, options (RA))
    10.76.92.65 > 233.3.1.138: igmp query v2 [max resp time 10] [gaddr 233.3.1.138]
^C
7 packets captured
5991 packets received by filter
0 packets dropped by kernel

Нужные мне igmp.
Включаю PF и они блокируются при этом в логах тишина.

Правила PF

scrub on pppoe0 all fragment reassemble
scrub on dc0 all fragment reassemble
scrub on ae0 all fragment reassemble
anchor "relayd/*" all
block drop in log all label "Default deny rule"
block drop out log all label "Default deny rule"
block drop in quick inet6 all
block drop out quick inet6 all
block drop quick proto tcp from any port = 0 to any
block drop quick proto tcp from any to any port = 0
block drop quick proto udp from any port = 0 to any
block drop quick proto udp from any to any port = 0
block drop quick from <snort2c> to any label "Block snort2c hosts"
block drop quick from any to <snort2c> label "Block snort2c hosts"
block drop in log quick proto tcp from <sshlockout> to any port = ssh label "ssh                                                                              lockout"
block drop in log quick proto tcp from <webconfiguratorlockout> to any port = ht                                                                              tp label "webConfiguratorlockout"
block drop in quick from <virusprot> to any label "virusprot overload table"
block drop in log quick on pppoe0 from <bogons> to any label "block bogon networ                                                                              ks from WAN"
block drop in on ! pppoe0 inet from 109.161.1.1 to any
block drop in inet from 109.161.1.1 to any
block drop in on ! dc0 inet from 192.168.0.0/24 to any
block drop in inet from 192.168.0.50 to any
block drop in on pppoe0 inet6 from fe80::21d:60ff:fe8c:2fad to any
block drop in on dc0 inet6 from fe80::2a0:ccff:fe60:8f23 to any
block drop in log quick on ae0 from <bogons> to any label "block bogon networks                                                                               from IPTV"
block drop in on ! ae0 inet from 1.1.1.0/24 to any
block drop in inet from 1.1.1.2 to any
block drop in on ae0 inet6 from fe80::21d:60ff:fe8c:2fad to any
pass in on lo0 all flags S/SA keep state label "pass loopback"
pass out on lo0 all flags S/SA keep state label "pass loopback"
pass out all flags S/SA keep state allow-opts label "let out anything from firew                                                                              all host itself"
pass out route-to (pppoe0 10.131.240.4) inet from 109.161.1.1 to ! 109.161.1\.                                                                              1 flags S/SA keep state allow-opts label "let out anything from firewall host i                                                                              tself"
pass out route-to (ae0 1.1.1.1) inet from 1.1.1.2 to ! 1.1.1.0/24 flags S/SA kee                                                                              p state allow-opts label "let out anything from firewall host itself"
pass in quick on dc0 proto tcp from any to (dc0) port = http flags S/SA keep sta                                                                              te label "anti-lockout rule"
pass in quick on dc0 proto tcp from any to (dc0) port = ssh flags S/SA keep stat                                                                              e label "anti-lockout rule"
anchor "userrules/*" all
pass in quick on pppoe0 reply-to (pppoe0 10.131.240.4) inet all flags S/SA keep                                                                               state label "USER_RULE"
pass in log quick on dc0 all flags S/SA keep state label "USER_RULE"
pass in quick on dc0 all flags S/SA keep state label "USER_RULE"
pass in quick on dc0 inet from 192.168.0.0/24 to any flags S/SA keep state label                                                                               "USER_RULE: Default allow LAN to any rule"
pass in quick on ae0 reply-to (ae0 1.1.1.1) inet all flags S/SA keep state label                                                                               "USER_RULE"
anchor "tftp-proxy/*" all</bogons></bogons></virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c>

Если проще тупо одно правило все на все везде "звездочки"
мои интерфейсы

ifconfig
ae0: flags=8b43 <up,broadcast,running,promisc,allmulti,simplex,multicast>metric 0 mtu 1500
        options=82018 <vlan_mtu,vlan_hwtagging,wol_magic,linkstate>ether 00:1d:60:8c:2f:ad
        inet6 fe80::21d:60ff:fe8c:2fad%ae0 prefixlen 64 scopeid 0x1
        inet 1.1.1.2 netmask 0xffffff00 broadcast 1.1.1.255
        nd6 options=43 <performnud,accept_rtadv>media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
dc0: flags=8a43 <up,broadcast,running,allmulti,simplex,multicast>metric 0 mtu 1500
        options=80008 <vlan_mtu,linkstate>ether 00:a0:cc:60:8f:23
        inet 192.168.0.50 netmask 0xffffff00 broadcast 192.168.0.255
        inet6 fe80::2a0:ccff:fe60:8f23%dc0 prefixlen 64 scopeid 0x2
        nd6 options=43 <performnud,accept_rtadv>media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
pfsync0: flags=0<> metric 0 mtu 1460
        syncpeer: 224.0.0.240 maxupd: 128 syncok: 1
pflog0: flags=100 <promisc>metric 0 mtu 33200
enc0: flags=0<> metric 0 mtu 1536
lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384
        options=3 <rxcsum,txcsum>inet 127.0.0.1 netmask 0xff000000
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6
        nd6 options=43 <performnud,accept_rtadv>pppoe0: flags=8ad1 <up,pointopoint,running,noarp,allmulti,simplex,multicast>metric 0 mtu 1492
        inet 109.161.1.1 --> 10.131.240.4 netmask 0xffffffff
        inet6 fe80::21d:60ff:fe8c:2fad%pppoe0 prefixlen 64 scopeid 0x7
        nd6 options=43<performnud,accept_rtadv></performnud,accept_rtadv></up,pointopoint,running,noarp,allmulti,simplex,multicast></performnud,accept_rtadv></rxcsum,txcsum></up,loopback,running,multicast></promisc></full-duplex></performnud,accept_rtadv></vlan_mtu,linkstate></up,broadcast,running,allmulti,simplex,multicast></full-duplex></performnud,accept_rtadv></vlan_mtu,vlan_hwtagging,wol_magic,linkstate></up,broadcast,running,promisc,allmulti,simplex,multicast>

какое надо правило чтоб ходил  1.1.1.2 > 233.3.1.138: igmp v2 report 233.3.1.138
Причем на локальном интерфейсе он igmp не блокирует
Может я как то не понятно обрисовал ситуацию, готов на любые пояснения
кароче говоря хочу смотреть iptv, с выкл pf работает
А с вкл не посылается igmp репорт во внешний интерфейс с правилами как только не изголялся.

wassalam

Спасибо, форуму решение есть и на нем, но натолкнуло вот это.

http://redmine.pfsense.org/issues/54

Вопрос решен!