Medisana Smart Baby Monitor IP-Camera behind the MikroTik RB2011UAS-2HnD-IN

Barrada · May 21, 2015, 8:49am

Hi, All!

I need your help, because I have got stucked trying to eliminate my issue with port forwarding.

Here is my situation description briefly: Medisana Smart Baby Monitor IP-camera (hereinafter - Medisana) is connected to router MikroTik RB2011UAS-2HnD-IN (hereinafter - Mikrotik) which is connected to ISP (Internet) via Ethernet1 port.

ISP gives me dynamic public IP-address. So, it changes from time to time after reconnection.

Mikrotik configuration
RouterOS: 6.28.
ISP plugged into Ethernet1 port (by default).

Router has the default configuration:

/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254

/ip address
add address=192.168.88.1/24 comment="default configuration" \
    interface=ether2-master-local network=192.168.88.0

/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid \
    interface=ether1-gateway

/ip dhcp-server network
add address=192.168.88.0/24 comment="default configuration" \
    gateway=192.168.88.1 netmask=24

/ip dns static
add address=192.168.88.1 name=router

/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=pppoe-out1

/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=\
    established,related
add action=drop chain=input comment="default configuration" \
    in-interface=ether1-gateway
add chain=forward comment="default configuration" \
    connection-state=established,related
add action=drop chain=forward comment="default configuration" \
    connection-state=invalid
add action=drop chain=forward comment="default configuration" \
    connection-nat-state=!dstnat connection-state=new \
    in-interface=ether1-gateway

/ip upnp
set enabled=yes

/ip upnp interfaces
add interface=bridge-local type=internal
add interface=pppoe-out1 type=external

I made the following adjustments:

/ip dns
set allow-remote-requests=yes servers=77.88.8.88,77.88.8.2

/ip firewall nat
add action=dst-nat chain=dstnat comment="Medisana SMB IP-camera" \
    dst-port=222 in-interface=ether1-gateway protocol=tcp \
    to-addresses=192.168.88.222 to-ports=222

/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes

/interface ethernet
set [ find default-name=sfp1 ] disabled=yes

Mikrotik is reachable via the Internet from anywhere (i.e.: public IP x.xx.xx.xx).

Medisana configuration
IP: 192.168.88.222
Mask: 255.255.255.0
Port: 222
Gateway: 192.168.88.1 (Mikrotik)
DNS: 192.168.88.1 (Mikrotik)
Connected method: UTP-cable or Wi-Fi (it does not matter).
IP-camera is reachable only from LAN, unfortunately. When I try to get it from public IP-address of Mikrotik (i.e.: x.xx.xx.xx:222) – no response and no forwarding for 222 port.

Question: what is wrong and what should I do to see a picture from my IP-camera?

Thank you in advance for technical assistance!

pukkita · May 21, 2015, 9:08am

How are you getting your WAN public IP? by DHCP or dialing pppoe?? your settings seems to have mixed setups.

Barrada · May 21, 2015, 9:11am

Dialing PPPoE (on Mikrotik).

pukkita · May 21, 2015, 9:38am

Then you should delete

/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid \
    interface=ether1-gateway

And change all ocurrences of ether1-gateway with pppoe-out1, which is the “real” WAN interface.

P.S. Enable IP > Cloud for remote access to your medisana by name instead of the dynamic IP.

Barrada · May 21, 2015, 9:44am

pukkita, thank you very much for reply. I will try it and post here the results.

Barrada · May 25, 2015, 8:59am

Hello!
Here is the solution for my problem!

The problem was mostly in time synchronization NTP (System=>NTP Client) and one mistake in NAT rule (IP=>Firewall=>NAT - see screenshot attached).

See my config alterations:

/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=pppoe-out1
add action=dst-nat chain=dstnat comment="Medisana SMB IP-camera" dst-port=222 \
   in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.88.222 \
    to-ports=222

Pay your attention here: in-interface=pppoe-out1

/system ntp client
set enabled=yes primary-ntp=91.226.136.138 secondary-ntp=109.195.19.73

/system ntp server
set enabled=yes

Despite I set current time manually it was necessary to configure NTP Client.

Thanks to pukkita for the tip!