I have a Comcast gateway which is setup as “true bridge”. I have been trying to access my ip camera from outside for months now. I have no luck with port forwarding and needs help badly.
My camera has been assigned with port 8150. I added a static ip for 192.168.88.241. I think I setup my port forwarding correctly but using http://www.canyouseeme.org/, it says the port refused connection. I can access my camera locally but not from the internet. Thanks everyone for your help.
Thanks. However, it still doesn’t work. I read the user’s guide of my IP camera and it says, for browser access to the camera you need to forward public TCP port 8150 to internal port (base port) 80.
Last possibility is the port you use is blocked by your isp. Some isp may block a range of port to prevent their customer for making private server.
I also had issue with port forwarding about my cctv dvr.
If the dvr/cctv connected through a router then to mikrotik, just make sure that you also open the port on the router.
Or if you have some additional firewall rules, try to disable them and move this port forward rule to top off-course after the dummy rules (if exist).
My advice is try to use other port like 8XXX or 9XXX instead of 80
Port forwarding works fine in my previous router (Linksys). I don’t think it’s blocked by my ISP. Is there way to know if the port is being blocked (port 8150) by the router? How do I open the port 8150 in the router? Sorry for the many questions. Unfortunately, it still doesn’t work. I can see packets.
There is someone from support? I have the same problem.
Moreover, sometimes my router forwards packets, but always only on IP .211. Even when I put another address in fied “ToAddress”.
The simple task and can’t be solved more than 5 days.
If firewall filter rules need to be added, the dst-port should be 80 (when NAT is translated to it) and for more strict allowance add dst-address to whti 192.168.88.241
And this should be in the forward chain!
How do I open the port 8150 in the router? Sorry for the many questions. Unfortunately, it still doesn’t work. I can see packets.
I am a beginner into mikrotik routers myself so that please forgive me but I still think that proper chain commands here would be ( it is just a basic port forwarding, after all):
accepting conections from WAN ( in-interface=ether1-gateway ), on proto tcp (protocol=tcp), for destination port 8150 (dst-port=8150), in the first place
/ip firewall filter
add action=accept chain=input comment="Accept connections from outside to inside port 8150" dst-port=8150 in-interface=ether1-gateway log=yes log-prefix=mycam protocol=tcp
forwarding conections on WAN ( in-interface=ether1-gateway ), on proto tcp (protocol=tcp), for destination port 8150 (dst-port=8150) to LAN destination adress 192.168.88.241 ( to-addresses=192.168.88.241 ), for destination port 80 (to-ports=80)
/ip firewall nat
add action=dst-nat chain=dstnat comment="Access my camera on web" dst-port=8150 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.88.241 to-ports=80
Input chain is used when traffic is destined for the router itself
forward chain is used when traffic is destined for a client and router used to forward the traffic towards it.
Then comes the NAT-ting part.
Look at http://wiki.mikrotik.com/wiki/Manual:Packet_Flow_v6 and there you will come to the conclusion that when a packet is initially send to the router, during pre-routing the dst-nat actions are handled. That will mean that after dst-nat actions (translations) are done, the destination address of the packets are changed from the original IP held by the router to the real destionation (eg translated from a public IP 217.65.98.3 to 192.168.88.5).
Then comes the routing decision and since the destination address is 192.168.88.5 after dst-nat the actual destination is not the router itself anymore and therefor the filter is should be handled in the forward chain.
Same applies for the dst-port. During dst-nat (in pre-routing) the dst-port is changed from 8150 to 80, and therefor the filter rule should be mathcing the dst-port 80.
Thanks everyone for helping me out. It still a no go. Here are my settings
IP->Firewall->Rules
chain = forward
protocol = tcp
dst port = 80
in. interface = either1-gateway
action = accept
IP->Firewall->NAT
chain = dstnat
protocol = tcp
dst port = 8150
in. interface = either1-gateway
action = dstnat
to address = 192.168.88.241 (local camera ip)
to ports = 80
I even disabled all filter rules and fort forwarding still doesn’t work. I forgot to mention that my ip camera has a built-in web server (thus the port 80). When I access the camera from a browser using 69.140.252.50:8150, the page loads very quickly with a message that it refused to connect. When I access 69.140.252.50:80, it goes straight to my router login page.
When you are connected to your internal network, how do you access your camera?
By using port 80 or 8150?
Since you have supplied your public IP in your previous post I just gave it a try and when I go to port 8150 I end up seeing some "Shark Security" login page for a camera, so in my perspective it works!
I now assume you are trying to connect to your camera via your public IP, while you are inside your own local network.
If that is the case, you will need an additional NAT rule, according to this principle (http://wiki.mikrotik.com/wiki/Hairpin_NAT)
your rule should look like
RouterOS process NAT rules before it does Filter rules, so an Accept rule on the input chain will never get hit if you’re NATing the traffic. If you want to forward external port 8150 to port 80 on your camera, you need to do 2 things: 1) add the appropriate dst-nat rule, and 2) assuming you have a “Drop All” rule at the bottom of every Filter chain (which you should for security reasons), you need to add an Accept rule to the forward chain. Given the information you’ve provided, those rules should look like this:
You’ll need to make sure those rules are high enough in the table that they are matched before any more permissive rules. Firewall rules are processed from the top-down, and best practice is to put the most restrictive and most frequently matched rules closer to the top. If these rules don’t get it working for you, you’ll need to post an export of your entire config, as something else must be interfering.
If referring to dst-nat you are right, dst-nat is handled in pre-routing (before routing decisions are made)
Based on routing decisions, the input or forward chain will be handled with their respective firewall filter.
After that, during post-routing, any applicable src-nat rules will be carried out.
Thank you so much for your help. I was trying to access it from within my local network. I tried accessing it from outside and it works. I’m using a Shark Security IP camera but will be upgrading to another brand this month. I learned a lot from all these postings. Again, thanks a lot.
