We have a command called `set firewall global-options apply-to-bridged-traffic invalid-connections` that forces the firewall to accept connections from a hardcoded list of ethertypes (ARP and DHCP at the moment) even if they are (mis-)classified as invalid (see T6647).
My concern is that the list of special cases is growing and we have no guarantee that PPPoE is the last in the list. There's also a chance that people want, say, only DHCP, only ARP, or only PPPoE, depending on what they use.
I wonder if the command should be reworked into something like `accept-invalid-connections <ethertype>`. That will require a migration script.
We may want to provide human-readable aliases for common ethertypes there.