I’ve spent over a month now trying to get a simple port forward to an internal webcam working.
Can someone please show me how it should be done so I can check it with my config?
The webcam is on the internal address 192.168.10.9 on port 8080.
The “Hairpin Test” allows me to see the webcam from an internal machine using its external address.
http://www.canyouseeme.org/ shows that port 8080 is open and has a service running.
If I use a computer on a different network then I can not access the webcam.
/ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; New Web Cam
chain=dstnat action=dst-nat to-addresses=192.168.10.9 to-ports=8080 protocol=tcp dst-port=8080
1 ;;; HAIRPIN TEST
chain=srcnat action=masquerade protocol=tcp src-address=192.168.10.0/24 dst-address=192.168.10.9
out-interface=ether2-office-master dst-port=8080
/ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
1 ;;; webcam rule
chain=input action=accept protocol=tcp dst-address=192.168.10.9 dst-port=8080
I must be doing something stupid…
Your filter rule should be on the forward chain. Change that and see. If it still does not work please post all your /ip firewall export
Sent from my GT-I9100 using Tapatalk 2
Nope, no change
To clarify some of the rules below, we have 2 internal networks: 192.168.10.x is our private network. 192.168.100.x is a open network for visitors using the Mikrotik hotspot system and separate wifi ap.
We have 1 internet connection with a DHCP external IP address.
We use dyndns to map the external IP address to a hostname.
/ip firewall> export
# mar/24/2013 11:48:10 by RouterOS 4.11
# software id = KZR6-A26I
#
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s tcp-established-timeout=1d tcp-fin-wait-timeout=10s \
tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s udp-stream-timeout=3m \
udp-timeout=10s
/ip firewall filter
add action=accept chain=forward comment="webcam rule" disabled=no dst-address=192.168.10.9 dst-port=8080 protocol=tcp
add action=accept chain=output comment="webcam rule" disabled=no dst-port=8080 protocol=tcp src-address=192.168.10.9
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=no
add action=drop chain=forward comment="" disabled=no dst-address=192.168.10.0/24 in-interface=ether5-guest-master
add action=accept chain=input comment="default configuration" disabled=no protocol=icmp
add action=accept chain=input comment="default configuration" connection-state=established disabled=no in-interface=BT
add action=accept chain=input comment="default configuration" connection-state=related disabled=no in-interface=BT
add action=drop chain=input comment="Drop Invalid connections" connection-state=invalid disabled=no
add action=accept chain=input comment="Allow Established connections" connection-state=established disabled=no
add action=accept chain=input comment="Allow ICMP" disabled=no protocol=icmp
add action=accept chain=input comment="" disabled=no in-interface=!BT src-address=192.168.10.0/24
add action=accept chain=input comment="" disabled=no in-interface=!BT src-address=192.168.100.0/24
add action=accept chain=forward comment="allow already established connections" connection-state=established disabled=no
add action=accept chain=forward comment="allow related connections" connection-state=related disabled=no
add action=drop chain=forward comment="" disabled=no src-address=0.0.0.0/8
add action=drop chain=forward comment="" disabled=no dst-address=0.0.0.0/8
add action=drop chain=forward comment="" disabled=no src-address=127.0.0.0/8
add action=drop chain=forward comment="" disabled=no dst-address=127.0.0.0/8
add action=drop chain=forward comment="" disabled=no src-address=224.0.0.0/3
add action=drop chain=forward comment="" disabled=no dst-address=224.0.0.0/3
add action=drop chain=forward comment="drop invalid connections" connection-state=invalid disabled=no protocol=tcp
add action=jump chain=forward comment="" disabled=no jump-target=tcp protocol=tcp
add action=jump chain=forward comment="" disabled=no jump-target=udp protocol=udp
add action=jump chain=forward comment="" disabled=no jump-target=icmp protocol=icmp
add action=drop chain=tcp comment="deny TFTP" disabled=no dst-port=69 protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" disabled=no dst-port=111 protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" disabled=no dst-port=135 protocol=tcp
add action=drop chain=tcp comment="deny NBT" disabled=no dst-port=137-139 protocol=tcp
add action=drop chain=tcp comment="deny cifs" disabled=no dst-port=445 protocol=tcp
add action=drop chain=tcp comment="deny NFS" disabled=no dst-port=2049 protocol=tcp
add action=drop chain=tcp comment="deny NetBus" disabled=no dst-port=12345-12346 protocol=tcp
add action=drop chain=tcp comment="deny NetBus" disabled=no dst-port=20034 protocol=tcp
add action=drop chain=tcp comment="deny BackOriffice" disabled=no dst-port=3133 protocol=tcp
add action=drop chain=tcp comment="deny DHCP" disabled=no dst-port=67-68 protocol=tcp
add action=drop chain=udp comment="deny TFTP" disabled=no dst-port=69 protocol=udp
add action=drop chain=udp comment="deny PRC portmapper" disabled=no dst-port=111 protocol=udp
add action=drop chain=udp comment="deny PRC portmapper" disabled=no dst-port=135 protocol=udp
add action=drop chain=udp comment="deny NBT" disabled=no dst-port=137-139 protocol=udp
add action=drop chain=udp comment="deny NFS" disabled=no dst-port=2049 protocol=udp
add action=drop chain=udp comment="deny BackOriffice" disabled=no dst-port=3133 protocol=udp
add action=accept chain=icmp comment="echo reply" disabled=no icmp-options=0:0 protocol=icmp
add action=accept chain=icmp comment="net unreachable" disabled=no icmp-options=3:0 protocol=icmp
add action=accept chain=icmp comment="host unreachable" disabled=no icmp-options=3:1 protocol=icmp
add action=accept chain=icmp comment="host unreachable fragmentation required" disabled=no icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow source quench" disabled=no icmp-options=4:0 protocol=icmp
add action=accept chain=icmp comment="allow echo request" disabled=no icmp-options=8:0 protocol=icmp
add action=accept chain=icmp comment="allow time exceed" disabled=no icmp-options=11:0 protocol=icmp
add action=accept chain=icmp comment="" disabled=no icmp-options=12:0 protocol=icmp
add action=accept chain=icmp comment="" disabled=no icmp-options=12:0 protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" disabled=no icmp-options=12:0 protocol=icmp
add action=drop chain=icmp comment="deny all other types" disabled=no
add action=drop chain=input comment="drop ftp brute forcers" disabled=no dst-port=21 protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=output comment="" content="530 Login incorrect" disabled=no dst-limit=1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist address-list-timeout=3h chain=output comment="" content="530 Login incorrect" disabled=no \
protocol=tcp
add action=drop chain=input comment="default configuration" disabled=no in-interface=BT
add action=drop chain=input comment="Drop everything else" disabled=no
/ip firewall nat
add action=dst-nat chain=dstnat comment="New Web Cam" disabled=no dst-port=8080 protocol=tcp to-addresses=192.168.10.9 to-ports=8080
add action=src-nat chain=srcnat comment="New Web Cam" disabled=no protocol=tcp src-port=8080 to-ports=8080
add action=masquerade chain=srcnat comment="HAIRPIN TEST" disabled=no dst-address=192.168.10.9 dst-port=8080 out-interface=ether2-office-master protocol=tcp \
src-address=192.168.10.0/24
add action=dst-nat chain=dstnat comment=xbox disabled=no dst-port=88 in-interface=BT protocol=udp to-addresses=192.168.10.6
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=3074 in-interface=BT protocol=udp to-addresses=192.168.10.6
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=3074 in-interface=BT protocol=tcp to-addresses=192.168.10.6
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=53 in-interface=BT protocol=tcp to-addresses=192.168.10.6
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=53 in-interface=BT protocol=udp to-addresses=192.168.10.6
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=80 in-interface=BT protocol=tcp to-addresses=192.168.10.6
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=1863 in-interface=BT protocol=tcp to-addresses=192.168.10.6
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=1863 in-interface=BT protocol=udp to-addresses=192.168.10.6
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=no
add action=masquerade chain=srcnat comment="default configuration" disabled=no out-interface=BT src-address=192.168.10.0/24
add action=masquerade chain=srcnat comment="" disabled=no dst-port=8080 protocol=tcp src-address=192.168.10.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" disabled=no src-address=192.168.100.0/24
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no
Thanks.
try this settings:
Action=dstnat Chain=dstnat Dst. Address=“your public ip here” Protocol=6(tcp) To Addresses=“your camera local ip” Dst. Port=8080 In Interface=“your gateway here”
Thanks starwinX. The only problem I can see with this is I don not have a static public IP address. What should I put in the “your public ip here” section?
Are you sure the camera doesn’t use another additional port for data streaming?
docmarius:
Are you sure the camera doesn’t use another additional port for data streaming?
Its an Axis M1011. Just uses the normal port to stream.
I have had it working using a normal ADSL router and port forwards so I know it works. Just need to work my way round the Mikrotik rules.
shiny
March 26, 2013, 8:46am
8
You don’t need the accept rule. Only the nat rule.
Sorry, I’m an idiot! Can you please quote the rule that you think I should remove?
Thanks.
This is still driving me crazy!
It seems like I can’t set up any rules to allow any traffic through the firewall. Although external port checkers show that the ports are open.
Any one else have any ideas?
Caci99
April 2, 2013, 9:34am
11
I don’t understand this rule:
/ip firewall nat
add action=src-nat chain=srcnat comment="New Web Cam" disabled=no protocol=tcp src-port=8080 to-ports=8080
The above rule is not doing anything, it could even be braking the connections.
hey mattltm,
instead of dst. address just use in-interface instead and specify your wan interface. below is an example with ether1 being your wan interface:
add action=dst-nat chain=dstnat comment="webcam" dst-port=8080 in-interface=ether1 protocol=tcp to-addresses=192.168.10.9
then all you need to do is ensure there are no firward chain rules blocking 8080 to 192.168.10.9
janisk
April 2, 2013, 10:06am
13
/ip firewall nat add chain=srcnat", out-interface=WAN action=masquerade
/ip firewall nat add chain=srcnat src-address=10.244.244.0/24 dst-address=10.244.244.2 out--nterface=LAN action=masquerade
/ip firewall nat add chain=dstnat dst-address=10.245.245.2 action=dst-nat to-addresses=10.244.244.2
here is hairpin-NAT test i use. Local address of external service is 10.244.244.2, “global” address is 10.245.245.2. so local client connecting to 10.245.245.2 should go to 10.244.244.2 instead and replies should go through router doing the NAT. It works as expected
it is not good example, because all traffic is redirected to internal host and this should be considered unsafe.
Caci99
April 2, 2013, 11:20am
14
Ok, so here is what I tested and it worked (ROS version6.0rc11, but it should be the same for ROS5.x):
/ip firewall nat
add chain=srcnat action=masquerade out-interface=ether1
The above is the general masquerade rule
/ip firewall nat
add chain=dstnat action=dst-nat to-addresses=192.168.2.200 to-ports=80 protocol=tcp in-interface=ether2 dst-port=6666
add chain=srcnat action=masquerade protocol=tcp src-address=192.168.2.0/24 dst-address=192.168.2.200 out-interface=ether2 dst-port=80
The above are the hairpin nat rules. 192.168.2.200 is the camera IP serving on port 80. I am redirecting requests on port 6666 to port 80. Notice the in-interface=ether2 here, which is the local interface.
/ip firewall nat
chain=dstnat action=dst-nat to-addresses=192.168.2.200 to-ports=80 protocol=tcp in-interface=ether1 dst-port=6666
The above rule is for the requests coming from the outside. Notice the in-interface=ether1 which is the WAN interface
Thanks all. This got old about 2 months ago
Caci99:
I don’t understand this rule:
/ip firewall nat
add action=src-nat chain=srcnat comment="New Web Cam" disabled=no protocol=tcp src-port=8080 to-ports=8080
The above rule is not doing anything, it could even be braking the connections.
If I comment this rule out, I can’t access the cam using the existing hairpin NAT and canyouseeme.org detects that port 8080 is closed.
rjickity:
hey mattltm,
instead of dst. address just use in-interface instead and specify your wan interface. below is an example with ether1 being your wan interface:
add action=dst-nat chain=dstnat comment="webcam" dst-port=8080 in-interface=ether1 protocol=tcp to-addresses=192.168.10.9
then all you need to do is ensure there are no firward chain rules blocking 8080 to 192.168.10.9
I tested this with ether1 and BT interfaces (the connection to my modem). Both don’t work for me and canyouseeme.org reports port 8080 closed.
janisk:
/ip firewall nat add chain=srcnat", out-interface=WAN action=masquerade
/ip firewall nat add chain=srcnat src-address=10.244.244.0/24 dst-address=10.244.244.2 out--nterface=LAN action=masquerade
/ip firewall nat add chain=dstnat dst-address=10.245.245.2 action=dst-nat to-addresses=10.244.244.2
here is hairpin-NAT test i use. Local address of external service is 10.244.244.2, “global” address is 10.245.245.2. so local client connecting to 10.245.245.2 should go to 10.244.244.2 instead and replies should go through router doing the NAT. It works as expected
it is not good example, because all traffic is redirected to internal host and this should be considered unsafe.
Thanks, it looks like the harpin NAT is working fine for me. It’s just external connections that can’t access the webcam.
Caci99:
Ok, so here is what I tested and it worked (ROS version6.0rc11, but it should be the same for ROS5.x):
/ip firewall nat
add chain=srcnat action=masquerade out-interface=ether1
The above is the general masquerade rule
/ip firewall nat
add chain=dstnat action=dst-nat to-addresses=192.168.2.200 to-ports=80 protocol=tcp in-interface=ether2 dst-port=6666
add chain=srcnat action=masquerade protocol=tcp src-address=192.168.2.0/24 dst-address=192.168.2.200 out-interface=ether2 dst-port=80
The above are the hairpin nat rules. 192.168.2.200 is the camera IP serving on port 80. I am redirecting requests on port 6666 to port 80. Notice the in-interface=ether2 here, which is the local interface.
/ip firewall nat
chain=dstnat action=dst-nat to-addresses=192.168.2.200 to-ports=80 protocol=tcp in-interface=ether1 dst-port=6666
The above rule is for the requests coming from the outside. Notice the in-interface=ether1 which is the WAN interface
Thanks.
I removed all rules from the router and added your rule set. Changed IP addresses and port numbers to match mine.
Harpin NAT works but external access does not and canyouseeme.org reports port 8080 as closed.
What I find strange is the fact the with the current config, canyouseeme.org detects that port 8080 is open ant that there is a service running. If anyone would like to check again for me then please feel free to PM me for the IP address (it’s dynamic so it changes a lot!)
Very odd that I can’t connect with a browser.
Any other ideas anyone?
Looks like this is resolved.
I have no idea what changed but I removed all of the rules to run one of the suggested solutions above then added the original rules back in and sudden it all started working!
Got to love technology huh?
Thanks for your help all and if anyone wants to take a guess at what happened then please do!
Caci99
April 2, 2013, 3:43pm
19
Probably, there is a rule in the firewall which conflicts with the hairpin nat rule, or the access rule from outside. Since rules are executed in their order, which means the first rule that matches the packet is applied, and then the packet leaves the router, after you have deleted them and then re added them, the rules now have a different order.
Caci99:
Probably, there is a rule in the firewall which conflicts with the hairpin nat rule, or the access rule from outside. Since rules are executed in their order, which means the first rule that matches the packet is applied, and then the packet leaves the router, after you have deleted them and then re added them, the rules now have a different order.
I would love to think that was the answer but I just exported the rules to a file then imported them again. I just checked and they are still in the original order.
