pfSense

Moving this over from the internal Redmine (NG 5521)

From reports I've seen on other platforms, WireGuard should be passing multicast traffic, but it does not.

The interface reports MULTICAST in its capabilities:

: ifconfig wg0
wg0: flags=8080c1<UP,RUNNING,NOARP,MULTICAST> metric 0 mtu 1420
        options=880000<LINKSTATE>
        inet 10.15.210.2 netmask 0xffffff00
        inet6 fe80::290:bff:fe37:a324%wg0 prefixlen 64 scopeid 0xa
        groups: wg
        listen-port: 51820
        private-key: yEGEI23vEu1OWYoCC9SJujvP53twqTxgtx0+nPoTmWM=
        public-key:  VBzLM57GLcW0guY2MQF8OZgI2HQKhAWqTE5qeMIANHo=
        media: Ethernet autoselect (25GBase-ACC <full-duplex>)
        status: active
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

When attempting to use OSPF, it appears to have joined the appropriate groups:

: ifmcstat -i wg0
wg0:
        inet 10.15.210.2
        igmpv3 rv 2 qi 125 qri 10 uri 3
                group 224.0.0.6 mode exclude
                group 224.0.0.5 mode exclude
        inet6 fe80::290:bff:fe37:a324%wg0 scopeid 0xa
        mldv2 flags=2<USEALLOW> rv 2 qi 125 qri 10 uri 3
                group ff01::1%wg0 scopeid 0xa mode exclude
                group ff02::2:c735:9c5f%wg0 scopeid 0xa mode exclude
                group ff02::2:ffc7:359c%wg0 scopeid 0xa mode exclude
                group ff02::1%wg0 scopeid 0xa mode exclude
                group ff02::1:ff37:a324%wg0 scopeid 0xa mode exclude
        inet 10.15.210.2
        igmpv3 rv 2 qi 125 qri 10 uri 3
                group 224.0.0.1 mode exclude

tcpdump shows the multicast traffic egress via wg0, and I see the outer WireGuard packets on the external interfaces, but nothing arrives at the wg0 interface on the peer, so it appears to be getting dropped by the kernel.

Additional notes from Peter:

[This is only viable for tunnels with a single peer]
OpenBSD advertises multicast capability, but also has no replication for multicast/broadcast traffic.
I'll have a look at the Linux wireguard implementation and see what it does.