Hamachi



  • I am having trouble connecting to Hamachi (www.hamachi.cc) through my pfSense router/firewall. I can connect, but my friends are all yellow instead of green. I have another friend that uses pfSense and he is also able to connect, but everyone is yellow.

    We tried the port forwarding, and using "Magic Option" with no luck. I found the following posts on Hamchi's site, but still no luck:
    http://forums.hamachi.cc/viewtopic.php?t=26&highlight=m0n0wall
    http://forums.hamachi.cc/viewtopic.php?t=1079&highlight=bsd

    Anyone using Hamachi behind pfSense with any luck?



  • You need to setup a advanced outbound rule that maintains the same source and destination port for Hamachi.

    This has been covered in their forum with the OpenBSD thread.



  • CrashX, did you figure this out?  If so, could you share your wisdom?  I simply dont have time to go digging through their stuff trying to figure it out right now.

    Thanks in advance



  • Unfortunately no. I messed with it quite a bit as did my friend with pfsense.
    The OpenBSD thread at Hamachi doesn't really help much as it isn't saying what goes where in pfsense, but is more generic to BSD.
    So I don't kow what else to try. I will probably just end up switching back to a Linux box with shorewall, unless someone has a specific walk through for Hamchi over pfsense.



  • Visit NAT -> Outbound.

    Create a new rule.

    Then see this screenshot.



  • Thx for the help sullrich, and I'll implement tonight or tomorrow



  • I tried the setting from the screen shot, field for field and still no luck. Besides the outbound NAT entry provided, is there a setting somewhere else that needs to be set?



  • That should be it, the rule matches what was said in the forum.

    Make sure you change 10.0.250.69 to your private ip of your workstation.

    Also restart Hamachi.



  • Also, depending on the speed of your machine, it could take a couple seconds to actually update the rules.  We give the user back control and spawn off a process to create rules in the background.  This can take some time depending on shaper rules and speed of machine.

    –Bill



  • I have also encountered  this problem  :-\

    I have done the advanced outbound nat rule as Sullrich did it (only changed IP to 192.168.0.2).

    Hamachi have been configured with the magic option port 12975.

    No extra portforwards or firewall rules an im on BETA 1

    My states show med (192.168.0.2 is the computer with hamachi and 81.XX.134.139 is my public ip at the moment):

    self tcp 64.34.106.33:12975 <- 192.168.0.2:3308                                             FIN_WAIT_2:FIN_WAIT_2
    self tcp 64.34.106.33:12975 <- 192.168.0.2:3309                                             ESTABLISHED:ESTABLISHED
    self tcp 192.168.0.2:3309 -> 81.XX.134.139:61521 -> 64.34.106.33:12975        ESTABLISHED:ESTABLISHED
    self tcp 192.168.0.2:3308 -> 81.XX.134.139:60332 -> 64.34.106.33:12975        FIN_WAIT_2:FIN_WAIT_2
    self udp 64.34.106.33:43961 <- 192.168.0.2:12975                                           NO_TRAFFIC:SINGLE
    self udp 64.34.106.33:11711 <- 192.168.0.2:12975                                           NO_TRAFFIC:SINGLE
    self udp 64.34.106.74:3713 <- 192.168.0.2:12975                                             NO_TRAFFIC:SINGLE
    self udp 82.165.226.212:3892 <- 192.168.0.2:12975                                         NO_TRAFFIC:SINGLE
    self udp 192.168.0.2:12975 -> 81.XX.134.139:57157 -> 64.34.106.33:43961      SINGLE:NO_TRAFFIC
    self udp 192.168.0.2:12975 -> 81.XX.134.139:50945 -> 64.34.106.33:11711      SINGLE:NO_TRAFFIC
    self udp 192.168.0.2:12975 -> 81.XX.134.139:64298 -> 64.34.106.74:3713        SINGLE:NO_TRAFFIC
    self udp 192.168.0.2:12975 -> 81.XX.134.139:60112 -> 82.165.226.212:3892    SINGLE:NO_TRAFFIC



  • @MikaelS:

    I have also encountered  this problem  :-\

    I have done the advanced outbound nat rule as Sullrich did it (only changed IP to 192.168.0.2).

    Hamachi have been configured with the magic option port 12975.

    No extra portforwards or firewall rules an im on BETA 1

    My states show med (192.168.0.2 is the computer with hamachi and 81.XX.134.139 is my public ip at the moment):

    self tcp 64.34.106.33:12975 <- 192.168.0.2:3308                                            FIN_WAIT_2:FIN_WAIT_2
    self tcp 64.34.106.33:12975 <- 192.168.0.2:3309                                            ESTABLISHED:ESTABLISHED
    self tcp 192.168.0.2:3309 -> 81.XX.134.139:61521 -> 64.34.106.33:12975        ESTABLISHED:ESTABLISHED
    self tcp 192.168.0.2:3308 -> 81.XX.134.139:60332 -> 64.34.106.33:12975        FIN_WAIT_2:FIN_WAIT_2
    self udp 64.34.106.33:43961 <- 192.168.0.2:12975                                          NO_TRAFFIC:SINGLE
    self udp 64.34.106.33:11711 <- 192.168.0.2:12975                                          NO_TRAFFIC:SINGLE
    self udp 64.34.106.74:3713 <- 192.168.0.2:12975                                            NO_TRAFFIC:SINGLE
    self udp 82.165.226.212:3892 <- 192.168.0.2:12975                                        NO_TRAFFIC:SINGLE
    self udp 192.168.0.2:12975 -> 81.XX.134.139:57157 -> 64.34.106.33:43961      SINGLE:NO_TRAFFIC
    self udp 192.168.0.2:12975 -> 81.XX.134.139:50945 -> 64.34.106.33:11711      SINGLE:NO_TRAFFIC
    self udp 192.168.0.2:12975 -> 81.XX.134.139:64298 -> 64.34.106.74:3713        SINGLE:NO_TRAFFIC
    self udp 192.168.0.2:12975 -> 81.XX.134.139:60112 -> 82.165.226.212:3892    SINGLE:NO_TRAFFIC

    Hmmm, that certainly looks like the NAT isn't working right.  I'll take a look.

    –Bill



  • Uhhh, NAT rules are like filter rules, first match.  I'm betting you have the default NAT from LAN to WAN rule first.  Please re-order them.

    –Bill



  • Yes you where right about the order of the rules, this is now fixed but still no luck  :'(

    I reseted my states and tested a couple of times but no luck.
    The only thing i have done is magic option in hamachi (12975) and the advanced outbound nat.
    This is correct?

    My states:

    self tcp 64.34.106.33:12975 <- 192.168.0.2:1328                                            ESTABLISHED:ESTABLISHED
    self tcp 192.168.0.2:1328 -> 81.XX.134.139:57915 -> 64.34.106.33:12975       ESTABLISHED:ESTABLISHED
    self udp 64.34.106.33:43961 <- 192.168.0.2:12975                                          NO_TRAFFIC:SINGLE
    self udp 64.34.106.33:11711 <- 192.168.0.2:12975                                          NO_TRAFFIC:SINGLE
    self udp 64.34.106.74:3713 <- 192.168.0.2:12975                                            NO_TRAFFIC:SINGLE
    self udp 82.165.226.212:3892 <- 192.168.0.2:12975                                         NO_TRAFFIC:SINGLE
    self udp 192.168.0.2:12975 -> 81.XX.134.139:57234 -> 64.34.106.33:43961      SINGLE:NO_TRAFFIC
    self udp 192.168.0.2:12975 -> 81.XX.134.139:59478 -> 64.34.106.33:11711      SINGLE:NO_TRAFFIC
    self udp 192.168.0.2:12975 -> 81.XX.134.139:61194 -> 64.34.106.74:3713        SINGLE:NO_TRAFFIC
    self udp 192.168.0.2:12975 -> 81.XX.134.139:51526 -> 82.165.226.212:3892    SINGLE:NO_TRAFFIC



  • I too only have the Advanced Outbound NAT set up and the Magic Option in Hamachi set. I have the Hamachi outbound rule above the the default rule and still have the same results.

    self  tcp  192.168.10.50:1400  ->  66.93.XXX.XXX:59271  ->  64.34.106.33:12975    ESTABLISHED:ESTABLISHED
    self  tcp  64.34.106.33:12975  <-  192.168.10.50:1400        ESTABLISHED:ESTABLISHED



  • Isn't hamachi using UDP?  Perhaps my screenshot was wrong in this regard.  Please remove nat+firewall rules and start over but use UDP.

    Scott



  • I don't see that Outbound Nat let's you choose between UDP and TCP.



  • Well then verify the outbound rule is the first in the list before all other rules.



  • @sullrich:

    Well then verify the outbound rule is the first in the list before all other rules.

    Thats what i have done (hamachi NAT rule is at top).
    But it isent working.
    No Firewall rules needed?? or anything else?

    Happy new year to all!



  • Okay, time to install this beast.

    Can you tell me how we can get a tunnel connected for testing?



  • I created one for testing.

    Network name: pfsense
    Password: pfsense



  • It should turn green if the connection is good. Yellow if there is a problem.



  • Edit the outgoing rule and remove the source port.

    Then make sure the magic option is enabled in Hamachi.



  • Well as a follow up, I tried to set it up at my work and home (both running pfSense).

    No matter what I tried, I could not get it working.

    Sorry!



  • I have been trying everything suggested, without any luck.



  • @CrashX:

    I have been trying everything suggested, without any luck.

    I tired manually entering every combo of rule found in the Hamachi forum and nothing seems to work.

    Not really sure whats going on, the Hamachi developers are going to have to give us better examples of how to make this work and they will also need to clarify why they feel that PF "over locks nat" down.



  • I'll poke at this over the weekend and see if I can figure out what's wrong with the NAT.  We aren't using static-port as they suggest, but we should have been forcing the source port to be what was specified.

    –Bill



  • I got it working with a 1:1.

    • Remove all prior outbound nat rules and nat port forwards pertaining to Hamachi previously setup

    • Add a Firewall -> NAT -> 1:1 to your computer

    • enable magic option in Hamachi

    • add a firewall rule to the magic port with your internal ip.  the default is 12975



  • Erg, I hate to reply w/in an hour of the last reply, but I think I see the problem.  We are going to need static-port, the implementation of that will need to be somewhat carefully thought out as it's very easy to hose stuff up (windows doesn't use terribly random source ports, conflicts are guaranteed).  1:1 nat (for those with more than one IP) might be an option - or for those with only one machine behind pfsense.

    –Bill



  • I must thank you all for testing this, i know that you all have limited time for supporting something that isent pfsense specific.
    This is much appreciated!



  • Well I got it working using 1:1. I have multiple static IPs from my ISP. I set up a second one as a vitrual IP and then used that IP 1:1 to the computer I want to use Hamachi on.
    So this is a workable situation for me, because I have multiple static IPs. But I have a friend who gets one dynamic IP, and this wouldn't work for him because his PC could do 1:1 but then his other PCs couldn't get out.



  • @CrashX:

    Well I got it working using 1:1. I have multiple static IPs from my ISP. I set up a second one as a vitrual IP and then used that IP 1:1 to the computer I want to use Hamachi on.
    So this is a workable situation for me, because I have multiple static IPs. But I have a friend who gets one dynamic IP, and this wouldn't work for him because his PC could do 1:1 but then his other PCs couldn't get out.

    Understood.  I'll work on this for 1.1, the NAT code is so important that we can't really risk breaking it in the middle of the beta cycle (unless it was actually broken).

    We have a number of checks in place to stop 1:1 NATs being used on the same external address as an oubound nat, but play around a little bit, I suspect you might be able to create the 1:1, then create an outbound nat using the same address (just using Interface Address).  It might work depending on how we order the NATs in the rule file (I can't recall if we put binat first or nat - the order obviously makes a huge difference in packet matching :))

    –Bill



  • Only one of you needs to do the 1:1 trick.

    I left my work machine off of a 1:1 and I am still green to it.



  • I see that you are working on som static port? http://cvstrac.pfsense.com/chngview?cn=9024

    Is this a solution to the Hamachi problem??



  • Yep



  • It's working using Outbound NAT in PREBETA2-BUGVALIDATION4 (yeah the one that's been pulled from the server…)

    I set it up like this:

    And as noted in other posts, set the Hamachi > Preference > System > Magic Option to that default port.

    Works great here with no other added rules, etc!!

    I'm not sure which pfSense Version is the first to have the Outbound NAT with the Static-port option, but it works in this build...

    Otherwise perhaps update yours from the cvstrac link in an earlier post in this thread...

    And just an update:
    If you have more than 1 Hamachi client behind your firewall, set each one to a different port, and then add that port to the Outbound NAT just like the first one. Make sure the rule ends up above the "Default" Allow All rule as is pictured on the bottom in the second linked screenshot.








  • Great to hear!  This option was added right after beta 1 was released so its included in all the pre-beta2 images.



  • I am running the 1.0-BETA1-TESTING-SNAPSHOT-2-20-06 and I can't get this to work for me.  I have my configs the same way as the screenshots and my Hamachi still doesn't connect.  What version of Hamachi are you running?  I can't get a newer version than 1.39 anywhere, everyone mirrors back to Hamachi's servers.  Any other ideas?



  • Works for every version of the Ham I've used, starting from 0.99.xx up to most recent.

    Did you remember to set the "Magic option"?
    If you're running Windows XP SP2, did you make sure the firewall is opened on it? (Or if you're running some other system firewall…)
    Did you make sure the Outbound NAT option that you added is above the default "allow all" rule?

    Maybe send us a screenshot of your Outbound NAT screen. (Alt+PrintScreen on Windows will capture only the active window to the clipboard, then just paste it into M$ Paint, or another Image Program if you have it...)

    Hope this helps! :D

    PS: You can find the latest Betas on the forum here: http://forums.hamachi.cc/viewforum.php?f=14&sid=e03938855a339e23331b702b18b6657a








  • Sorry for the delay in replaying … spring break time and all.  I have upgraded pfsense to the beta 2 rc5, but I am still having difficulties.  Here are screenshots of my pfsense setup.  I am also getting errors loading my NAT settings.  The error is:

    [filter_load] There were error(s) loading the rules: /tmp/rules.debug:21: the static-port option can't be used when specifying a port rangepfctl: Syntax error in config file: pf rules not loaded.  The line in question reads [21]:  nat on xl1 from 10.1.10.0 / 24 to any -> (xl1) port 12975 static-port

    Also, I go to the Hamachi beta download page and try to download release 52 and the download times out trying to get the file off the servers.  I can't update through the software either.  Not expecting you guys to do anything, just informing.








  • Hmm, dunno what to say. I remember having that error too, I don't remember what fixed it, but it's gone. All I can suggest is trying a complete fresh install of your firewall from the iso with the latest version. Just save a backup of your config on the Backup/Restore page, and then copy that config<whatever>.xml to a floppy. On the floppy make a folder called conf (edit) and copy that config file you saved, but rename it to config.xml.

    Hope that helps.</whatever>


Locked