Firewall Problem

RouterOS Beginner Basics
1

Dear All,

I’ve a problem with a firewall filter rule

Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; default configuration
     chain=input action=accept protocol=icmp 

 1   ;;; default configuration
     chain=input action=accept connection-state=established 

 2   ;;; default configuration
     chain=input action=accept connection-state=related 

 3   ;;; WINBOX ACCESS
     chain=input action=accept protocol=tcp src-address-list=cybNET dst-port=8291 

 4 X chain=input action=accept protocol=tcp src-address-list=cybNET dst-port=8888 

 5   ;;; CAMERA ACCESS
     chain=forward action=accept protocol=tcp src-address-list=any dst-port=8880 

 6   chain=forward action=accept protocol=tcp src-address-list=any dst-port=554 

 7   ;;; LAN TO TILFF
     chain=forward action=accept src-address=192.168.12.0/24 dst-address=192.168.10.0/24 

 8   chain=forward action=accept connection-state=established src-address=192.168.10.0/24 dst-address=192.168.12.0/24 

 9   chain=forward action=accept connection-state=related src-address=192.168.10.0/24 dst-address=192.168.12.0/24 

10   ;;; TILLF TO LAN
     chain=forward action=accept src-address=192.168.10.0/24 dst-address=192.168.12.0/24 

11   chain=forward action=accept connection-state=established src-address=192.168.12.0/24 dst-address=192.168.10.0/24 

12   chain=forward action=accept connection-state=related src-address=192.168.12.0/24 dst-address=192.168.10.0/24 

13   ;;; LAN TO WAN
     chain=forward action=accept in-interface=bridge-local out-interface=pppoe-out1 

14   chain=forward action=accept connection-state=established in-interface=pppoe-out1 out-interface=bridge-local 

15   chain=forward action=accept connection-state=related in-interface=pppoe-out1 out-interface=bridge-local 

16   ;;; VLAN100 TO WAN
     chain=forward action=accept in-interface=vlan100 out-interface=pppoe-out1 

17   chain=forward action=accept connection-state=established in-interface=pppoe-out1 out-interface=vlan100 

18   chain=forward action=accept connection-state=related in-interface=pppoe-out1 out-interface=vlan100 

19   chain=forward action=log log-prefix="" 

20   ;;; default configuration
     chain=input action=drop in-interface=pppoe-out1
21   [b]chain=forward action=drop 
[/b]

NAT

Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; IPSec 
     chain=srcnat action=accept src-address=192.168.12.0/24 dst-address=192.168.10.0/24 

 1   ;;; CAMERA ACCESS
     chain=dstnat action=dst-nat to-addresses=192.168.12.240 to-ports=81 protocol=tcp dst-port=8880 

 2   chain=dstnat action=dst-nat to-addresses=192.168.12.240 to-ports=554 protocol=tcp dst-port=554 

 3   ;;; B-BOX ACCESS
     chain=srcnat action=masquerade out-interface=ether1-gateway 

 4   ;;; default configuration
     chain=srcnat action=masquerade out-interface=pppoe-out1

I can not access my camera from outside. When i disable the last rule (dorp forward) it’s working.

Where is the problem?

Thank you in advance,

2

there is a few things, firstly you allow, one port then forward another


i dont see the allow for the port 81, since thats your redirect, i would rather redirect the correct port from the outside to the inside, some recorders forward the “port” as an embeded message in the connection stream,

1 ;;; CAMERA ACCESS
chain=dstnat action=dst-nat to-addresses=192.168.12.240 to-ports=81 protocol=tcp dst-port=8880

You dont need the address list, and also try tcp and udp for 554 - rstp can be elusive like that.

odds are that you dropping :81 traffic coz you are not allowing it.

5 ;;; CAMERA ACCESS
chain=forward action=accept protocol=tcp src-address-list=any dst-port=8880

6 chain=forward action=accept protocol=tcp src-address-list=any dst-port=554