Need Help with port forwarding

OceanWW · December 9, 2016, 4:16am

I am needing basic help with port forwarding please.
I have a Q-See unit QT428 and I am desperately find a way to be able to view my cameras via my computer. The router is Mikrotik 951 which was provided by my ISP but which I now own. I have upgraded the firmware on the Q-See and checked the UPnP box. However, when I try canyouseeme, it cannot read ports 85 or 6036.
I cannot get any help from Q-See as they tell me they are “not trained” on a Mikrotik router.
My ISP likewise cannot help.
I am really hoping someone here can walk me through this. I have password etc for the router but am afraid of messing it up as I know little about routers. The info from Mikrotik seems very complicated and I do not understand it.

JB172 · December 9, 2016, 7:29am

A. Which IP has your Q-See unit ?
B. In Routerboard 951:
Go to “New Terminal” and type export.
Copy paste the results here.

Sob · December 9, 2016, 3:59pm

The easiest way should be to enable UPnP on router (it’s disabled by default). Look at IP->UPnP, there’s Enabled checkbox. And you also need to tell router which interface is internal and external (there’s Interfaces button for that in same dialog).

OceanWW · December 10, 2016, 1:54am

Thank you for the response. The UPnP was already checked on the router. However, although I look at the interfaces button, I do not understand what to do with the info. It lists two items: bridge-local Internal and ether1-gateway external.

The IP for the QT is 192.168.001.239
router is 192.168.001.001

This is what I get at New Terminal (which make no sense to me!)

MMM MMM KKK TTTTTTTTTTT KKK

MMMM MMMM KKK TTTTTTTTTTT KKK

MMM MMMM MMM III KKK KKK RRRRRR OOOOOO TTT III KKK KKK

MMM MM MMM III KKKKK RRR RRR OOO OOO TTT III KKKKK

MMM MMM III KKK KKK RRRRRR OOO OOO TTT III KKK KKK

MMM MMM III KKK KKK RRR RRR OOOOOO TTT III KKK KKK

MikroTik RouterOS 6.30.4 (c) 1999-2015 http://www.mikrotik.com/

[?] Gives the list of available commands

command [?] Gives help on the command and list of arguments

[Tab] Completes the command/word. If the input is ambiguous,

a second [Tab] gives possible options

/ Move up to base level

.. Move up one level

/command Use command at the base level

janus20 · December 11, 2016, 6:34pm

Hi OceanWW,

Yes, it is normal what you see in “New Terminal”; what JB172 wanted to say is that in “New Terminal” window type export, hit enter and copy&paste results here.

kind regards,

OceanWW · January 2, 2017, 2:56am

Thanks for the help. I think I have it right this time.

MMM MMM KKK TTTTTTTTTTT KKK

MMMM MMMM KKK TTTTTTTTTTT KKK

MMM MMMM MMM III KKK KKK RRRRRR OOOOOO TTT III KKK KKK

MMM MM MMM III KKKKK RRR RRR OOO OOO TTT III KKKKK

MMM MMM III KKK KKK RRRRRR OOO OOO TTT III KKK KKK

MMM MMM III KKK KKK RRR RRR OOOOOO TTT III KKK KKK

MikroTik RouterOS 6.30.4 (c) 1999-2015 http://www.mikrotik.com/

[?] Gives the list of available commands

command [?] Gives help on the command and list of arguments

[Tab] Completes the command/word. If the input is ambiguous,

a second [Tab] gives possible options

/ Move up to base level

.. Move up one level

/command Use command at the base level

[customer@Usr15020] > export

jan/01/2017 18:50:26 by RouterOS 6.30.4

software id = 9TMB-A6I8

/interface bridge

add admin-mac=E4:8D:8C:45:49:2F auto-mac=no name=bridge-local

/interface ethernet

set [ find default-name=ether1 ] name=ether1-gateway

set [ find default-name=ether2 ] name=ether2-master-local

set [ find default-name=ether3 ] master-port=ether2-master-local name=\

ether3-slave-local

set [ find default-name=ether4 ] master-port=ether2-master-local name=\

ether4-slave-local

set [ find default-name=ether5 ] master-port=ether2-master-local name=\

ether5-slave-local

/interface wireless

set [ find default-name=wlan1 ] band=2ghz-b/g/n disabled=no distance=indoors \

l2mtu=1600 mode=ap-bridge mtu=1600 ssid=AlyricaWiFi wireless-protocol=\

802.11

/ip neighbor discovery

set ether1-gateway discover=no

/interface wireless security-profiles

set [ find default=yes ] authentication-types=wpa2-psk eap-methods=“” mode=\

dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=rudolph10 \

wpa2-pre-shared-key=rudolph10

/ip pool

add name=dhcp ranges=192.168.1.10-192.168.1.254

/ip dhcp-server

add address-pool=dhcp disabled=no interface=bridge-local name=default

/queue simple

add name=queue1 queue=pcq-upload-default/pcq-download-default target=\

192.168.1.0/24

/interface bridge port

add bridge=bridge-local interface=ether2-master-local

add bridge=bridge-local interface=wlan1

/ip address

add address=192.168.1.1/24 comment=Router interface=ether2-master-local \

network=192.168.1.0

/ip dhcp-client

add comment=“default configuration” dhcp-options=hostname,clientid disabled=\

no interface=ether1-gateway

/ip dhcp-server network

add address=192.168.1.0/24 dns-server=8.8.8.8,199.58.96.29 gateway=\

192.168.1.1

/ip dns

set allow-remote-requests=yes

/ip dns static

add address=192.168.1.1 name=Router

add address=199.58.96.29 name=Alyrica

add address=8.8.8.8 name=Google

/ip firewall address-list

add address=69.1.125.0/24 list=Alyrica

add address=74.123.160.0/21 list=Alyrica

add address=104.152.252.0/22 list=Alyria

add address=192.234.118.0/23 list=Alyrica

add address=206.192.248.0/23 list=Alyrica

add address=199.58.96.0/21 list=Alyrica

add address=199.91.226.0/23 list=Alyrica

add address=199.91.230.0/23 list=Alyrica

add address=208.65.184.0/21 list=Alyrica

add address=206.192.248.0/24 list=Management

add address=199.58.96.0/24 list=Management

add address=199.91.230.0/23 list=Management

add address=208.65.184.0/21 list=NextGen

add address=74.123.160.0/21 list=NextGen

/ip firewall filter

add chain=input comment=“Allow Alyrica Managment IPs” src-address-list=\

Management

add chain=input comment=“default configuration” protocol=icmp

add chain=input comment=“default configuration” connection-state=\

established,related

add action=drop chain=input comment=“default configuration” disabled=yes \

in-interface=ether1-gateway

add chain=forward comment=“default configuration” connection-state=\

established,related

add action=drop chain=forward comment=“default configuration” \

connection-state=invalid

add action=drop chain=forward comment=“default configuration” \

connection-nat-state=!dstnat connection-state=new in-interface=\

ether1-gateway

add chain=forward comment=“default configuration” connection-state=\

established

add chain=forward comment=“default configuration” connection-state=related

add action=drop chain=forward comment=“default configuration” \

connection-state=invalid

add chain=output content=“530 Login incorrect” dst-limit=\

1/1m,9,dst-address/1m protocol=tcp

add action=add-dst-to-address-list address-list=ftp_blacklist \

address-list-timeout=3h chain=output content=“530 Login incorrect” \

protocol=tcp

add action=drop chain=forward comment=“drop ssh brute downstream” dst-port=22 \

protocol=tcp src-address-list=ssh_blacklist

add chain=input protocol=icmp

add chain=input connection-state=established

add chain=input connection-state=related

add action=drop chain=input in-interface=ether1-gateway

/ip firewall nat

add action=masquerade chain=srcnat comment=“default configuration” \

out-interface=ether1-gateway

/ip ipsec policy

set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0

/ip service

set telnet disabled=yes

set ftp disabled=yes

set www address="192.168.1.0/24,69.1.125.0/24,199.91.230.0/24,206.192.248.0/25\

,199.58.96.0/25,208.65.184.0/21,74.123.160.0/21"

set ssh address="192.168.1.0/24,69.1.125.0/24,199.91.230.0/24,206.192.248.0/25\

,199.58.96.0/25,208.65.184.0/21,74.123.160.0/21"

set api disabled=yes

set winbox address="192.168.1.0/24,206.192.248.0/25,199.58.96.0/25,208.65.184.\

0/21,74.123.160.0/21"

set api-ssl disabled=yes

/ip upnp

set enabled=yes

/ip upnp interfaces

add interface=ether1-gateway type=external

add interface=bridge-local type=internal

/system clock

set time-zone-name=America/Los_Angeles

/system identity

set name=Usr15020

/system leds

set 5 interface=wlan1

/system routerboard settings

set protected-routerboot=disabled

/tool mac-server

set [ find default=yes ] disabled=yes

add interface=ether2-master-local

add interface=ether3-slave-local

add interface=ether4-slave-local

add interface=ether5-slave-local

add interface=wlan1

add interface=bridge-local

/tool mac-server mac-winbox

set [ find default=yes ] disabled=yes

add interface=ether2-master-local

add interface=ether3-slave-local

add interface=ether4-slave-local

add interface=ether5-slave-local

add interface=wlan1

add interface=bridge-local

/tool romon port

add

[customer@Usr15020] >

JB172 · January 2, 2017, 7:48am

You want to access Q-See unit from internet or from inside your lan?
First of all, go to RB951 to IP->Addresses and change the interface of 192.168.1.1/24 from ether2-master-local to bridge-local