Multi Ip WAN, Hamachi and Portforwarding

jcassel

I have a lot of experience working with Monowall but yesterday I installed my first PFSense FW. All in all pretty painless. There is one open issue I have. Hamachi is relaying. We rely on Hamachi a lot because a lot of our people work at home and or are in India.

General setup is like this.
One PFSense(PFS) WAN has 5 Ips
I have several port mappings for HTTP and HTTPs as well as FTP and some VNC connections.

We are using Hamachi on almost all our systems and I want to get it to stop relaying. My understanding is that I need to setup a (AON) to make Hamachi work behind PFS.
The question for me is do I also have to setup other (AON) entries for all the other things I want to be able to get out. Like the web servers?

Also there are several servers with Hamachi running on them. All the posts I have seen seem to be talking about a single system with Hamachi behind PFS. Will I have to create an entry for each instance and will I then also have to go to each Hamachi instance and set its port?

Any assistance would be great..

thank you,

jcassel

I did a lot of searching on this topic and really I found nothing that gave the full setup and explanation that made sense to me, so I ended up going back to an older version(1.231) of Monowall to clear up the issue. I then updated until Hamachi stopped working. Looking at the version change log I found that there was a change that made the firewall remap the ports for UDP connection. Where this is slightly more secure, it is also not compatible with Hamachi.

False Hope(Skip this if you don't care to know what not to do.)
Before I found the correct solution,I first had a false positive correction where I setup each internal Hamachi instance to have its own port to connect with. This is done by setting up the UDP IP and port for the Hamachi instance in Hamachi advanced settings. Then Adding a port forward for each one in the firewall. This seems to work at first but when you have PCs that disconnect and reconnect over time they will all go to Relay Tunnel. This is because at first the ports that are assigned are used but at some point they get remapped. This can be confusing because if you restart the internal Hamachi instance, it will clear up for all connected clients. This is not a solution. Since you will find your self running around every day resetting Hamachi instances or setting up restart times for the Hamachi service.

To make Hamachi work on either Monowall or Pf-sense, you have to create an Outbound NAT rule for your Lan network Subnet that has the disable port mapping checked. Then turn enable Advanced outbound Nat. When you don't have (AON ) turned on there is a rule just like this created for you but without the port mapping turned off.

Basically your rule should look something resembling this(see below) if you have a Lan setup like with 192.168.0.x / 24 (Subnet:255.255.255.0) .

Create a NAT Outbound mapping entry that has these settings.
(see attached image for monowall screen shot.)
Interface:wan
Source: 192.168.0.0 / 24
Destination: any
Target: blank
Portmap: checked
Description: [what ever you like]

Don't forget to turn on AON (check box )

If this entry is correct you should not see any changes to your FW operation. The only real difference you should see is that Hamachi and other UDP using traffic should start to work as expected.

Hope this helps someone, I know it would have helped me save several days of experimenting.