cannot access ip-camera from the outside

Norman29 · March 13, 2014, 5:49pm

I can access almost everything from the outside.
The only thing i can not access is my ip-camera??
I narrowed it down to one rule that is causing the problem:

/ip firewall filter
add action=drop chain=forward comment=\ "Drop all other traffic through the router" \ disabled=no

If i enable this rule i cannot access the camera, if i disable this rule the camera can be viewed.
But then i get all sorts of other unwanted traffic. So i want that rule enabled.

I tried it with adding a nat rule (which is the “solution” you’ll find all over the internet):

/ip firewall nat
add action=dst-nat chain=dstnat disabled=no dst-address=86.86.86.860 dst-port=6080 protocol=tcp to-addresses=192.168.0.5 to-ports=6080

I can see that traffic is generated because the counter is running as soon as i start the camera, but there’s no connection to the camera.

How can i get this cam working with the forward chain rule still active?

rextended · March 13, 2014, 5:57pm

Enter inside the config of camera and read ALL ports the camera use.
Both TCP and UDP

In Firewall / Connection tracking use filter to see only the ip of your camera and see what port and protocol it use for working.

Create firewall rules accordingly

efaden · March 13, 2014, 6:31pm

Norman29:

I can access almost everything from the outside.
The only thing i can not access is my ip-camera??
I narrowed it down to one rule that is causing the problem:
/ip firewall filter
add action=drop chain=forward comment=\ "Drop all other traffic through the router" \ disabled=no
If i enable this rule i cannot access the camera, if i disable this rule the camera can be viewed.
But then i get all sorts of other unwanted traffic. So i want that rule enabled.

I tried it with adding a nat rule (which is the “solution” you’ll find all over the internet):
/ip firewall nat
add action=dst-nat chain=dstnat disabled=no dst-address=86.86.86.860 dst-port=6080 protocol=tcp to-addresses=192.168.0.5 to-ports=6080
I can see that traffic is generated because the counter is running as soon as i start the camera, but there’s no connection to the camera.

How can i get this cam working with the forward chain rule still active?

The DST-NAT rule only changes the incoming packet. If you have a default drop in the forward you need a rule above it to allow that incoming request..

you’ll want something like:
/ip firewall filter
add chain=forward dst-address=192.168.0.5 protocol=tcp port=6080That will actually allow the request…

Basically look at the packet flow diagram… first the packet hits the nat chains and gets changed… then it hits the forward chain… so you need both the DSTNAT and the Accept if you want it to work…

EDIT: NOTE!!! the forward rule will have to match the packet AFTER the NAT… so noticed I used the internal ip and the forwarded port.

Norman29 · March 14, 2014, 12:24pm

Great! That worked. So frustrating and yet so logical to get that problem fixed…
Thanx for your help!

efaden · March 14, 2014, 5:22pm

No problem.

francisuk24 · March 31, 2014, 1:01am

Just wonted to add, i was having problems port forwarding using NAT but this seemed to work for me.
Replace 192.168.1.8 with your internal IP cam and port 8081

/ip firewall nat
add chain=dstnat action=dst-nat to-addresses=192.168.1.8 to-ports=8081 protocol=tcp dst-port=8081