Hi all,
I am newbie with Mikt port forwarding, and with Mikt OS…
I kindly ask for your support in configuring port forwarding for my Hikvision DVR, to be able to connect to it from any remote locations, via hik-connect portal.
The cams are visible on my mobile Hikvision app.
Here are my DVR ports:
HTTP Port: 80
RTSP Port: 554
HTTPS Port: 443
Server Port: 8000
Here is my device, as it appears on hik-connect portal:
my DVR DS-7104HUHI-K1 my_(dynamic)public_ip/80 Online
Up till now, I was using a Cisco RV042G router, with three simple Forwarding rules, and everything was working perfectly (see attached picture).
Please note that I have pppoe internet connection, via a fiber GPON modem, and the IP is not fix.
I have tried different NAT rules, from some tutorials on youtube/internet, but each time I try to login remotely from hik-connect portal, I get my Mikrotik admin page (see attached printscreen too).
I also attach my config file, slightly edited for some sensitive info.
Late edit: I have tried to change www port in MikroTik Services from 80 to 81, but still not able to connect to DVR from WAN side via hik-connect portal, which is pointing to port 80.
Probably some dstnat rule has to be configured, but I have no ideea how to do it.
PS. Couldn’t figure it out how to copy the config file as a code in here at this post
But this is a side problem…
Thank you for any suggestions and support! myconfig.rsc (7.46 KB)
(1) It is not clear how you are trying to connect to the DVR.
a. Directly from LAN device to DVR using LANIP. Y/N ?
b. From Internet using dyndns URL(could be mycloud.net from ip cloud for example) Y/N ?
c. From LAN using dyndns URL Y/N ?
If c, are you attempting to reach DVR from the same subnet?
(2) ( Dont understand your setup)
You have two subnets, a LAN on the 10.0.0.0 network
and a vpn on the 10.0.0.0 network
Obviously potential conflict and problems could arise, so for now DISABLE VPN to ensure its not interfereing with the port forwarding.
(3) You have a VERY BAD input chain rule… At least limit to the LAN for security. Also winbox port has nothing to do with DDNS.
Suggest you change winbox port from default as well. Will fix this even better later!!!
add action=accept chain=input comment=“Enable DDNS and Winbox” dst-port=8291
protocol=tcp TO:
add action=accept chain=input comment=“Enable LAN access to Winbox” dst-port=8291
protocol=tcp in-interface-list=LAN
(4) Need to fix Forward rules as well.
(5) DST NAT, ( port forwarding rules ) are incorrect as well.
(6) Why is UPNP enabled??
(7) Are you using IPV4 or IPV6 as if its the latter my assistance will be minimal.
/ip firewall address-list { use dhcp static set leases for example }
add address=10.0.0.X list=Authorized comment=“admin PC1”
add address=10.0.0.Y list=Authorized comment=“admin PC2”
add address=VPNaddress list=Authorized comment='remote admin"
add address=mynetname.net list=MyWAN { or whatever dyndns name you use }
/ip firewall filter
{default rules to keep} add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=“loopback” dst-address=127.0.0.1
{admin rules} add action=accept chain=input comment=“allow IPsec NAT” dst-port=4500
protocol=udp
add action=accept chain=input comment=“allow IKE” dst-port=500 protocol=udp
add action=accept chain=input comment=“allow l2tp” dst-port=1701 protocol=udp
add action=accept chain=input comment=“admin access to router” src-address=Authorized
add action=accept chain=input comment=“users to services” in-interface-list=LAN dst-port=53 protocol=udp
add action=accept chain=input comment=“users to services” in-interface-list=LAN dst-port=53 protocol=tcp
add action=drop chain=input comment=“drop all else” { put this rule in as the last rule you enter }
++++++++++++++++++++++++++++++++++++++++++++++++++++
{default rules to keep} add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“drop invalid” connection-state=invalid
{admin rules} add action=accept chain=input comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat
add action=drop chain=forward comment=“drop all else”
