Hi,
I have a gateway for internet on 192.168.1.1. I connect the gateway to MikroTik CRS212-1G-10s-1s+, there I make a basic setup for the network. Now inside a network, I have one NVR with 12 cams. Is it possible to use Mikrotik DDNS function that I can access from outside network to NVR? NVR required 554 and 80 ports. What forwarding do I need to make in order to work?
Hi,
You could definitely use the MikroTik DDNS function for this, start with enabling it under /ip cloud.
Then what you’ll need to do is add two destination NAT-rules following the documentation (https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT#Destination_NAT).
In your firewall filters you should have appropriate rules allowing DST-Natted connections, the default firewall rules have a rule for that purpose. Otherwise you’ll need the following (from https://wiki.mikrotik.com/wiki/Manual:Securing_Your_Router#Firewall).
/ip firewall filter
add action=drop chain=forward comment="Drop incoming packets that are not NATted" connection-nat-state=!dstnat connection-state=new in-interface=ether1 log=yes log-prefix=!NAT
Hi,
Thanks for your reply. Now I make like you send me the links. I add this to a firewall nat:
/ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=masquerade log=no log-prefix=""
1 chain=dstnat action=dst-nat to-addresses=192.168.100.200
dst-address=178.152.108.249 log=no log-prefix=""
2 chain=srcnat action=src-nat to-addresses=178.152.108.249
src-address=192.168.100.200 log=no log-prefix=""
3 chain=dstnat action=dst-nat to-addresses=192.168.100.200 to-ports=0-65535
protocol=tcp dst-port=554 log=no log-prefix=""
4 chain=dstnat action=dst-nat to-addresses=192.168.100.200 to-ports=0-65535
protocol=udp dst-port=554 log=no log-prefix=""
5 chain=dstnat action=dst-nat to-addresses=192.168.100.200 to-ports=0-65535
protocol=tcp dst-port=80 log=no log-prefix=""
6 chain=dstnat action=dst-nat to-addresses=192.168.100.200 to-ports=80
protocol=udp dst-port=80 log=no log-prefix=""
Next i add this:
[admin@MikroTik] /ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 XI ;;; Drop incoming packets that are not NATed
chain=forward action=drop connection-state=new
connection-nat-state=dstnat in-interface=ether1 log=yes log-prefix="NAT"
1 chain=input action=accept connection-state=established,related log=no
log-prefix=""
2 chain=input action=accept src-address-list=allowed_to_router log=no
log-prefix=""
3 chain=input action=drop log=no log-prefix=""
[admin@MikroTik] /ip firewall address-list> print
Flags: X - disabled, D - dynamic
0 allowed_to_router 192.168.100.2-192.168.100.254
Now when i type inside network either mikrotik ddns name or ip address 178.152.108.100 it opens NVR that is on address 192.168.100.200 but still can't access from outside network.
Any advise?
Hi,
From my point of view it seems you have too many NAT-rules. You should leave the SRC-NAT (Masqeraude) but you should remove any other rules.
It think you’ll only need the following rules. I assume port 80 is used for a webpage of the NVR, so that should be TCP (as web is TCP-based). For the port 554 it might be TCP or UDP so I show two rules, you can find which protocol to use in the documentation of the NVR.
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=80 protocol=tcp to-addresses=192.168.200.200 to-ports=80
add action=dst-nat chain=dstnat dst-port=554 protocol=tcp to-addresses=192.168.200.200 to-ports=554
add action=dst-nat chain=dstnat dst-port=554 protocol=udp to-addresses=192.168.200.200 to-ports=554
Hi,
Thanks for help. I make like this and now I have access through ddns via port 80. But when I want to use application it say it can’t connect to host. Any solution for this?
It depends on the application I guess. I don’t know which protocol and which ports are used by the application. You should forward all the necessary ports for the application by additional NAT-rules and verify that these NAT-rules actually git a hit. You should see packet-counters running when trying to access the NVR.
It says only port 80 and RTSP 554 that device use. The device is Grandstream GVR3550. I try to find what ports also application use but only saying RTSP 554. On packet counters, I saw small numbers of packets.
Can you post your current configuration; an /ip firewall nat export would be sufficient?
The RTSP-protocol is likely UDP as it’s a continous data-stream.
On the gateway 192.168.1.1, it's open port mapping to 192.168.1.2 (Mikrotik)
/ip firewall nat
add action=masquerade chain=srcnat
add action=dst-nat chain=dstnat dst-p 192.168.100.200 to-ports=554
add action=dst-nat chain=dstnat dst-p 192.168.100.200 to-ports=554
add action=dst-nat chain=dstnat dst-a tcp to-addresses=192.168.100.200
/ip firewall filter
add action=accept chain=input comment="default configuration" connection-state=
established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input protocol=icmp
add action=drop chain=input
/ip firewall address-list
add address=192.168.100.2-192.168.100.254 list=allowed_to
You’re NAT-export looks incomplete of the MikroTik.
The NAT-rules aren’t matching any ports right now. That could be an issue
You’ll need either a catch-all rule: this one will catch all traffic and forward it to the NVR.
/ip firewall nat
add chain=dstnat action=dst-nat to-addresses=192.168.0.109
Or a more specific approach
/ip firewall nat
add chain=dstnat action=dst-nat protocol=tcp dst-port=80 to-addresses=192.168.200.200 to-ports=80
add chain=dstnat action=dst-nat protocol=udp dst-port=554 to-addresses=192.168.200.200 to-ports=554
/ip firewall nat
add action=masquerade chain=srcnat
add action=dst-nat chain=dstnat dst-port=554 protocol=tcp to-addresses=192.168.100.200 to-ports=554
add action=dst-nat chain=dstnat dst-port=554 protocol=udp to-addresses=192.168.100.200 to-ports=554
add action=dst-nat chain=dstnat dst-port=80 protocol=tcp to-addresses=192.168.100.200 to-ports=80
/ip firewall filter
add action=accept chain=input comment=“default configuration” connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input protocol=icmp
add action=drop chain=input
This I configurate. Now on application it say faild to retrieve image from camera. NVR is Grandstream Gvr 3550.