On Tue, 19 May 2020 11:09:24 +0200 nicolas prochazka <prochazka.nico...@gmail.com> wrote:
> Hello, > I'm trying to use vxlan encapsulated into Wireguard tunnel, with a > multicast group for announcement. > Ex : > ip -6 link add vxlan100 type vxlan id 100 dstport 4789 local > `wg0Ip6_lock` group ff05::100 dev wg0 ttl 5 > > All works very well when i set wg tunnel with ::/0 as allowed-ips, > but if i'm trying to be more restrictive, as ff05::/32 for example, > it does not work. > Is a specific interaction between allowed-ips and multicast group in ipv6 ? AFAIK multicast or broadcast do not work over WG at all. There's no special handling for it, and no mechanism to duplicate the same packet and send it out to several peers at once. For VXLAN you have to rely on adding each peer's MAC and its underlying IP explicitly via "bridge fdb append". To make it simpler you could use MACs and IP(v6)s generated from peers' public keys, so there will be no need for any centralized system of tracking and management for those. Or as I do, just generate them from hashes of peers' human readable names. -- With respect, Roman