I’m attempting to install an IP Camera on my tower and access it from the Internet. I placed the camera on one of the local interface (ether2) of my RB450. I have NAT enabled to hide my private network from the public. The instructions that came with my camera specify UpNP to be enabled to allow the camera to be accessed via a domain name outside my private network. I’ve turned on UpNP but when I try to access the camera, I go directly to the Webbox login page. I’m sure something else needs to be set but not sure how I should proceed. Any help would be appreciated.
simply add static forwarding: http://wiki.mikrotik.com/wiki/Forwarding_a_port_to_an_internal_IP
I think, you need to forward port 80
We have some progress, but not total success. I added the nat static forwarding as you described and can see packets going through (usually 3 per attempt) but the camera doesn’t respond. The result is the web page simply times out. Any ideas? Thanks!
does webcam have access to the Internet via that router?
Yes. It is able to acquire time from an NTP server and it validates the DYNDNS account that I set up. I can connect to it (using IE) from my private network (same subnet) but not from the other side of the router. The camera’s instructions specify enabling UpNP. I’ve enabled this in the router, but the camera states: “UPnP Failed: Errors in Network Communication”
why not do a dst nat hopefully to the webcam
The example Chupaka pointed to in the wiki is a good example how you should not port-forward to a web server. With other words, the example in the wiki is incorrect.
to-ports=80 (wrong)
to-ports=0-65535 (correct)
to-ports=1024-65535 (correct)
THG, the example is correct when you use dst-port=to-ports. but to-ports=0-65535 is the same =) (if you need to redirect port also, the example is fully correct, but ports should be differrent 
)
the problem can appear when the webcam don’t have access to the Internet through that router. in that case one rule should be added:
/ip firewall nat add chain=srcnat in-interface=Public dst-address=192.168.1.101 protocol=tcp dst-port=xxx (80?) action=masquerade place-before=0
The example is correct if the client always listening on the same port, but a web browser always listening on a random port greater than 1023. This port is usually called for the ephemeral port.
What is a Ephemeral Port?
A TCP or UDP port number that is automatically allocated from a predefined range by the TCP/IP stack software, typically to provide the port for the client end of a client-server communication.
An ephemeral port, also called a transient port, or a temporary port, has the following characteristics:
- Usually is on the client side.
- Is set up when a client aplication wants to connect to a server.
- Is destroyed when the client application terminates.
- Its number is greater than 1023.
- Its number is chosen at random.
you are confusing things. the above info is rught, but it have nothing to do with the dst-nat =) src-port (‘ephemeral’ client’s port) is not used in that rule, only dst-port - the port of the server
p.s. client is NOT listening on that port =)
I will give up if someone from MikroTik tell me that I’m wrong.
Take a look at this example:
The client address 192.168.2.45 with the ephemeral port 49274 connects to the web server with address 192.168.1.99 port 80.
The server then replies to the client with destination address 192.168.2.45 port 49274.
If you set the to-ports to 80, then the server will always respond to the client on port 80.
I’ll eat my shoes if I’m wrong.
‘to-ports’ means ‘Replace original port with specified one’ ( http://wiki.mikrotik.com/wiki/Firewall_nat )
in case of dst-nat, it works with dst-port. src-address and src-port remain unchanged
huh… bon appetit? =)