access IPTV Cameras from outside

ahnok · September 6, 2020, 4:35pm

Hi!

Can not set up port forwarding rules using MikroTik 951Ui-2nD Router.

I have Static IP address given by ISP 10.179.238.36 to which to the Main WiFi Router is connected.
First internal WiFi contour is 192.168.1.0 segment with the 192.168.1.1 Gateway to the ISP
The MikroTik router (secondary) is connected to the Main WiFi Router wirelessly and is associated with the 192.168.1.8 address. It serves DHCP Second Internal LAN contour for Video Surveillance area which is 192.168.88.0 segment.
The IP Cameras have 192.168.88.252 and 192.168.88.253 addresses associated with. They have internal web-access interface at the 80 port.
The Video Registration Server is at 192.168.88.240 address, port 5000

The idea to access both cameras and Video Server by the port-forwarding rules from the First Internal WiFi segment (192.168.1.0):

192.168.1.8:252 => 192.168.88.252:80 (tcp)
192.168.1.8:253 => 192.168.88.253:80 (tcp)
192.168.1.8:240 => 192.168.88.240:5000

And to access the MikroTik admin interface (WebFig) from the First internal WiFi segment at the port 8000 (192.168.1.8:8000 =>192.168.88.1:80)

I can not access neither cameras nor Video Registration Server, nor MikroTik admin WebFig from the First internal WiFi contour (PC address is 192.168.1.126)

The MikroTik settings exported from the device are as follows

sep/06/2020 18:31:34 by RouterOS 6.47.3

software id = HRBJ-YKUT

model = 951Ui-2nD

/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods=""
management-protection=allowed mode=dynamic-keys name=XXXXXXXXX
supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-eC
disabled=no distance=indoors frequency=2442 installation=
indoor security-profile=XXXXXXXXXXX ssid=XXXXXXXXXXX
wireless-protocol=802.11
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf disabled=yes interface=wlan1
add bridge=bridge interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set wan-interface-list=WAN
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=wlan1 list=WAN
/ip accounting
set enabled=yes
/ip accounting web-access
set accessible-via-web=yes
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=
192.168.88.0
add address=192.168.1.8 interface=bridge network=192.168.1.0
/ip dhcp-client

DHCP client can not run on slave interface!

add comment=defconf disabled=no interface=ether1
add disabled=no interface=wlan1
/ip dhcp-server lease
add address=192.168.88.253 client-id=Cam-1 mac-address=
XX:XX:XX:XX:XX:XX server=defconf
add address=192.168.88.252 client-id=Cam-2 mac-address=
XX:XX:XX:XX:XX:XX server=defconf
add address=192.168.88.240 client-id=Video-Server mac-address=
XX:XX:XX:XX:XX:XX server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN"
disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy"
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy"
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack"
connection-state=established,related
add action=accept chain=forward comment=
"defconf: accept established,related, untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid"
connection-state=invalid
add action=drop chain=forward comment=
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN

NAT Rules

/ip firewall nat
add action=dst-nat chain=dstnat dst-address=192.168.1.8 dst-port=252
protocol=tcp in-interface=wlan1 to-addresses=192.168.88.252 to-ports=80
add action=netmap chain=dstnat dst-address=192.168.1.8 dst-port=253
protocol=tcp in-interface=wlan1 to-addresses=192.168.88.254 to-ports=80
add action=dst-nat chain=dstnat dst-address=192.168.1.8 dst-port=40
protocol=tcp in-interface=wlan1 to-addresses=192.168.88.240 to-ports=5000
add action=masquerade chain=srcnat comment="defconf: masquerade"
ipsec-policy=out,none out-interface-list=WAN to-addresses=192.168.1.1
/system clock
set time-zone-name=Europe/Moscow
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

anav · September 6, 2020, 8:33pm

Okay with such convoluted setup, dont you think some diagrams would be reasonable.
I sense with my Yoda skills, that you have multiple routers and layers of NAT involved.
The good news is that you do have a public IP in the mix as the starting point so there should be few issues getting from the external net (outside) to your servers.
This assumes you have access as admin to all the routers along the route.
Once I see the diagrams it will become clear, I am just too lazy to do it in my head at the moment.

Do hope that is not your real WANIP as one shouldnt publish it, so give us a fake one or letters if it is indeed real.

ahnok · September 6, 2020, 9:39pm

Untitled Diagram (1).jpg

anav · September 6, 2020, 10:27pm

In this scenario,
The primary router needs to forward ports 80 and 5000 to the Microtik router. This is simply a matter of, on the primary router, stating that any traffic coming on port 80 and 5000 need to be forwarded to 192.168.1.8

The main problem I see is that you have two LANIP utilizing the same PORT.
If you can change that it would be best, if not and I will presume you cannot, there may be a work around.
In addition to 80, and 5000 add port 8880 to the list of ports being forwarded to the mikrotik.

Then the rest is configuring port forwarding on the mikrotik
You need a source nat rule generic, and three dstnat rules and a generic firewall rule allowing port forwarding.

/ip firewall nat
add chain=srcnat src-address=192.168.88.0/24 action=src-nat to-addresses=192.168.1.8 out-interface=WAN

add chain=dstnat action=dst-nat dst-address=192.168.1.8 protocol= tcp dst-port=80 to-addresses=192.168.88.252
add chain=dstnat action=dst-nat dst-address=192.168.1.8 protocol= tcp dst-port=8888 to-addresses=192.168.88.253 to-ports=80 ******
add chain=dstnat action=dst-nat dst-address=192.168.1.8 protocol= tcp dst-port=5000 to-addresses=192.168.88.240

**** Thus besides the normal easier access to your iptv cameras from the cloud (thru an app on your cell phone for example), one should now be able to directly access the iptv cameras when away from home
As expected you can enter the parameters of :80 and :5000 for the first IPTV camera and the black box?? and of course with the actual WANIP 10.179.238.36.
For the second IPTV you use the entry port parameter of :8880.

As for your config.
yuckkk, you have wifi as your WAN, I have great pity for you.

add bridge=bridge comment=defconf disabled=yes interface=wlan1
This needs two actions.
a. remove your WAN from the bridge (remove this line)
b. enable the rule so your wan is live.

Your WAN is hosed......
add address=192.168.1.8 interface=bridge network=192.168.1.0
/ip dhcp-client

DHCP client can not run on slave interface!

add comment=defconf disabled=no interface=ether1
add disabled=no interface=wlan1

It should be
add address=192.168.1.8 network=192.168.1.0 interface=wlan1

The good news is that you have a firewall rule that covers port forwarding in a backwards but plausible manner.....
add action=drop chain=forward comment=
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN

As for your current NAT rules, get rid of these ones........................ I dont know what the ipsec rule is for, so I wont comment and I dont know what your port 40 rule is for so I wont comment.
add action=dst-nat chain=dstnat dst-address=192.168.1.8 dst-port=252
protocol=tcp in-interface=wlan1 to-addresses=192.168.88.252 to-ports=80
add action=netmap chain=dstnat dst-address=192.168.1.8 dst-port=253
protocol=tcp in-interface=wlan1 to-addresses=192.168.88.254 to-ports=80
protocol=tcp in-interface=wlan1 to-addresses=192.168.88.240 to-ports=5000
add action=masquerade chain=srcnat comment="defconf: masquerade" \

jvanhambelgium · September 7, 2020, 5:36am

Hi,

I have Static IP address given by ISP 10.179.238.36 to which to the Main WiFi Router is connected.

Sure you have a static IP, but you do not have a PUBLIC IP, this means all the NAT-mapping must also be performed on the “outer” contour (router) AND also on the Mikrotik.
You have access to that device to re-configure it ?

If not, your setup will never work.

anav · September 7, 2020, 12:34pm

Say what? Do you mean that he is given a private IP by the ISP?
Well thats useless if true, no port forwarding is possible if one does not have the public IP as a client entry on the router one controls.
Still, if its a modem router from the ISP, often one can dmz the whole range or port forward ports… assuming access to the modem router.

ahnok · September 10, 2020, 11:20am

Yes, that is the provider’s router that forwards all the traffic from outside in and vice versa. For sure external port-forwarding rules should be applied on the “outer” router. Thank you

ahnok · September 10, 2020, 11:23am

In this scenario,
The primary router needs to forward ports 80 and 5000 to the Microtik router. This is simply a matter of, on the primary router, stating that any traffic coming on port 80 and 5000 need to be forwarded to 192.168.1.8

The main problem I see is that you have two LANIP utilizing the same PORT.
If you can change that it would be best, if not and I will presume you cannot, there may be a work around.
In addition to 80, and 5000 add port 8880 to the list of ports being forwarded to the mikrotik.

Then the rest is configuring port forwarding on the mikrotik
You need a source nat rule generic, and three dstnat rules and a generic firewall rule allowing port forwarding.

/ip firewall nat
add chain=srcnat src-address=192.168.88.0/24 action=src-nat to-addresses=192.168.1.8 out-interface=WAN

add chain=dstnat action=dst-nat dst-address=192.168.1.8 protocol= tcp dst-port=80 to-addresses=192.168.88.252
add chain=dstnat action=dst-nat dst-address=192.168.1.8 protocol= tcp dst-port=8888 to-addresses=192.168.88.253 to-ports=80 ******
add chain=dstnat action=dst-nat dst-address=192.168.1.8 protocol= tcp dst-port=5000 to-addresses=192.168.88.240

**** Thus besides the normal easier access to your iptv cameras from the cloud (thru an app on your cell phone for example), one should now be able to directly access the iptv cameras when away from home
As expected you can enter the parameters of :80 and :5000 for the first IPTV camera and the black box?? and of course with the actual WANIP 10.179.238.36.
For the second IPTV you use the entry port parameter of :8880.

As for your config.
yuckkk, you have wifi as your WAN, I have great pity for you.

add bridge=bridge comment=defconf disabled=yes interface=wlan1
This needs two actions.
a. remove your WAN from the bridge (remove this line)
b. enable the rule so your wan is live.

Your WAN is hosed…
add address=192.168.1.8 interface=bridge network=192.168.1.0
/ip dhcp-client

DHCP client can not run on slave interface!

add comment=defconf disabled=no interface=ether1
add disabled=no interface=wlan1

It should be
add address=192.168.1.8 network=192.168.1.0 interface=wlan1

The good news is that you have a firewall rule that covers port forwarding in a backwards but plausible manner…
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN

As for your current NAT rules, get rid of these ones.… I dont know what the ipsec rule is for, so I wont comment and I dont know what your port 40 rule is for so I wont comment.
add action=dst-nat chain=dstnat dst-address=192.168.1.8 dst-port=252
protocol=tcp in-interface=wlan1 to-addresses=192.168.88.252 to-ports=80
add action=netmap chain=dstnat dst-address=192.168.1.8 dst-port=253
protocol=tcp in-interface=wlan1 to-addresses=192.168.88.254 to-ports=80
protocol=tcp in-interface=wlan1 to-addresses=192.168.88.240 to-ports=5000
add action=masquerade chain=srcnat comment=“defconf: masquerade” \

Thank you, seems that worked for me. I shall post the final settings on the MikroTik that allow access all the cameras and the VideoServer (Blackbox).

ahnok · September 10, 2020, 11:27am

The settings of the MikroTik that seem to work to access from the 192.168.1.0 network

# sep/10/2020 14:14:33 by RouterOS 6.47.3
# software id = HRBJ-YKUT
#
# model = 951Ui-2nD

/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" \
    management-protection=allowed mode=dynamic-keys name=XXXXXXXXX  \
    supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-eC \
    country=russia disabled=no distance=indoors frequency=2432 installation=\
    indoor security-profile=XXXXXXXXXXX ssid=XXXXXXXXXXX  \
    wireless-protocol=802.11
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf disabled=yes interface=wlan1
add bridge=bridge interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set wan-interface-list=WAN
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=wlan1 list=WAN
/ip accounting
set enabled=yes
/ip accounting web-access
set accessible-via-web=yes
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
/ip dhcp-client
add comment=defconf interface=ether1
add disabled=no interface=wlan1
/ip dhcp-server lease
add address=192.168.88.253 client-id=Cam-1 mac-address=\
    XX:XX:XX:XX:XX:XX server=defconf
add address=192.168.88.252 client-id=Cam-2 mac-address=\
    XX:XX:XX:XX:XX:XX server=defconf
add address=192.168.88.240 client-id=Video-Server mac-address=\
    XX:XX:XX:XX:XX:XX server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=src-nat chain=srcnat out-interface-list=WAN protocol=tcp \
    src-address=192.168.88.0/24 to-addresses=192.168.1.8
add action=dst-nat chain=dstnat dst-address=192.168.1.8 dst-port=240 \
    protocol=tcp to-addresses=192.168.88.240 to-ports=5000
add action=dst-nat chain=dstnat dst-address=192.168.1.8 dst-port=252 \
    protocol=tcp to-addresses=192.168.88.252 to-ports=80
add action=dst-nat chain=dstnat dst-address=192.168.1.8 dst-port=253 \
    protocol=tcp to-addresses=192.168.88.253 to-ports=80
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN to-addresses=192.168.1.1
/system clock
set time-zone-name=Europe/Moscow
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN