I have a pair of pfSense firewall/routers set up in CARP/XML Config cluster. On the LAN side, the switch also has a pair of servers running corosync/pacemaker/drbd. These are on a different ip network, but still generate multicast packets.

For the life of me, I cannot get pfSense to allow the packets. I tried using the easy rule button, but that failed. I also added a rule that allows all ports, all addresses with a destination of the multicast address, and enabled "allowopts" and "nostate"; all to no avail. The traffic is still stopped by the default rule. Any idea what I might be doing wrong?

Here is a shot of the rules (and yes, they've been reloaded a few times:

I've also tried "no state." The rule under the title there is the Easy-Rule, and it chose the 239 address for both the source and destination; the src port is * and the dest port is 5405.

Here is the log showing the rejection by the default rule:

It's worth noting that it originally showed the scrubbing rule was also blocking, so I disabled the packet fragment scrubbing.