I have a RB5009 router connected diectly to my fibre modem. I have two security cameras connected to the router at 192.168.88.253 and 192.168.88.254. I would like to view them when not at home.
I have followed this advice to setup the NAT rule for one of the cameras, - https://help.mikrotik.com/docs/display/RKB/Port+forwarding
When I check these ports with https://portchecker.co/check-it , they are reported closed.
My computer firewall is turned off at the moment.
Do I need to do anything else in the router to open up the ports ? or am I doing this wrong ?

No idea without seeing the config.

2024-03-14 18:59:05 by RouterOS 7.14.1

software id = AKH6-QXXQ

model = RB5009UPr+S+

serial number = HDA08BKAFKG

/interface bridge
add admin-mac=18:FD:74:CC:AD:C5 auto-mac=no comment=defconf name=bridge
port-cost-mode=short
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1
use-peer-dns=yes user=------------------------------
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=10m name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 internal-path-cost=10
path-cost=10
add bridge=bridge comment=defconf interface=ether3 internal-path-cost=10
path-cost=10
add bridge=bridge comment=defconf interface=ether4 internal-path-cost=10
path-cost=10
add bridge=bridge comment=defconf interface=ether5 internal-path-cost=10
path-cost=10
add bridge=bridge comment=defconf interface=ether6 internal-path-cost=10
path-cost=10
add bridge=bridge comment=defconf interface=ether7 internal-path-cost=10
path-cost=10
add bridge=bridge comment=defconf interface=ether8 internal-path-cost=10
path-cost=10
add bridge=bridge comment=defconf interface=sfp-sfpplus1 internal-path-cost=
10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=
192.168.88.0
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=
192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN"
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy"
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy"
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack"
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=
"defconf: accept established,related, untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid"
connection-state=invalid
add action=drop chain=forward comment=
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade"
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="front camera" disabled=yes
dst-address=xx.xxx.xxx.xxx protocol=tcp src-address=0.0.0.0 src-port=8001
to-addresses=192.168.88.254 to-ports=8001
add action=dst-nat chain=dstnat disabled=yes dst-address=xx:xx:xx:xx
dst-port=8001 protocol=tcp to-addresses=192.168.88.254 to-ports=8001
add action=dst-nat chain=dstnat dst-port=8001 in-interface-list=WAN
log-prefix=192.168.88.254 protocol=tcp src-address=xx:xx:xx:xx to-ports=
8001
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=
33434-33534 protocol=udp
add action=accept chain=input comment=
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=
ipsec-esp
add action=accept chain=input comment=
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=
"defconf: drop everything else not coming from LAN" in-interface-list=
!LAN
add action=accept chain=forward comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid"
connection-state=invalid
add action=drop chain=forward comment=
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1"
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=
ipsec-esp
add action=accept chain=forward comment=
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=
"defconf: drop everything else not coming from LAN" in-interface-list=
!LAN
/system clock
set time-zone-name=Europe/London
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

(1) slight mod to dns..
/ip dns
set allow-remote-requests=yes servers=1.1.1.1

REMOVE the following default…
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan

(2) Take this default rule and create three new rules… Clearer and better security.
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN

add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat
add action=drop chain=forward comment=“drop all else”

Nothing so far that I see stopping your required traffic… above are improvements.
++++++++++++++++++++++++++++++++++++++++++++++++++++++

(3) Okay lets look at your dstnat rule.
/ip firewall nat
add action=dst-nat chain=dstnat comment=“front camera” disabled=yes
dst-address=xx.xxx.xxx.xxx protocol=tcp src-address=0.0.0.0 src-port=8001
to-addresses=192.168.88.254 to-ports=8001

DO NOT USE source address 0.0.0.0 USE DST PORT not src port.…
If you want to limit which public IPs can access your Server, then create a firewall address list etc…
Note adding a source IP or src address list of IPs also has the side benefit of causing your ports not to be visible on a scan vice just closed.
If your WANIP is dynamic then use in-interface-list=WAN
If your WANIP is static then use dst-address=X>X>X>X { your static WANIP }
To ports not required if same as dst-ports.

ex.
add action=dst-nat chain=dstnat comment=“front camera” disabled=no
in-interface-list=WAN dst-port=8001 protocol=tcp to-addresses=192.168.88.254

Q. Do you have users on the same LAN as the server accessing the server by DYNDNS name/URL ??

Great, learning a lot.
How do I make those changes, using webfig or command line ?. I would like to see the cameras on the intranet so yes, - do I need to make a masqerade rule?.

I use winbox, but webconfig should suffice. You already have a masquerade rule.

so theres not really anything preventing port 8001 being open in my config?.

Best to clean up the config and if still having issue post the latest config…

Please note when you post the config, please include your config in a code block. The code block is the 7th icon on the row of icons above the text entry box. It looks like a square with a blob in the middle. When your press that, it will produce a beginning and ending code block. Past your config text between the two blocks.

Isnt the first non code block config and wont be the last… you can thank Normis for ensuring the resulting the first posting experience of new users and those supporting them

thanks

I am still struggling with port forwarding my security cameras. I have the config below. When I try to connect from the WAN using my phone I can see packets going up on the connections in routerOS but no transfer of data. Please can someone look at my config. ( I did try set up back to home but then deleted it, because it seemed to slow my home connection speed).

# 2024-04-11 07:40:44 by RouterOS 7.14.2
# software id = AKH6-QXXQ
#
# model = RB5009UPr+S+
# serial number = HDA08DKAFKG
/interface bridge
add admin-mac=18:BD:74:CC:AD:C5 auto-mac=no comment=defconf name=bridge \
    port-cost-mode=short
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
    use-peer-dns=yes user=xxxxxx
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=10m name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether3 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether4 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether5 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether6 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether7 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether8 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=sfp-sfpplus1 internal-path-cost=\
    10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/interface wireguard peers
add allowed-address=xxxxxxxxxxx/32 comment="xxxxxxxxxxx (iPhone16,2)" \
    interface=*D public-key="xxxxxxxx="
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
/ip cloud
set back-to-home-vpn=enabled ddns-enabled=yes ddns-update-interval=10m
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8 verify-doh-cert=yes
/ip dns static
add address=45.90.28.0 disabled=yes name=dns.nextdns.io
add address=45.90.30.0 disabled=yes name=dns.nextdns.io
add address=2a07:a8c0:: disabled=yes name=dns.nextdns.io type=AAAA
add address=2a07:a8c1:: disabled=yes name=dns.nextdns.io type=AAAA
add address=45.90.28.0 name=dns.nextdns.io
add address=45.90.30.0 name=dns.nextdns.io
add address=2a07:a8c0:: name=dns.nextdns.io type=AAAA
add address=2a07:a8c1:: name=dns.nextdns.io type=AAAA
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=front dst-port=8001 \
    in-interface-list=WAN protocol=tcp to-addresses=192.168.88.253 to-ports=\
    8001
add action=dst-nat chain=dstnat comment=back dst-port=8002 in-interface-list=\
    WAN protocol=tcp to-addresses=192.168.88.254 to-ports=8002
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/London
/system note
set show-at-login=no
/system script
add comment=20240401 dont-require-permissions=no name="add dns ip_nextdns" \
    owner=capnahab policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
    ip dns static add name=dns.nextdns.io address=45.90.28.0 type=A;\
    \n/ip dns static add name=dns.nextdns.io address=45.90.30.0 type=A;\
    \n/ip dns static add name=dns.nextdns.io address=2a07:a8c0:: type=AAAA;\
    \n/ip dns static add name=dns.nextdns.io address=2a07:a8c1:: type=AAAA;"
add comment="add nat (nextdns)" dont-require-permissions=yes name=nat_nextdns \
    owner=capnahab policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
    ip firewall nat add chain=dstnat action=redirect protocol=tcp dst-port=53 \
    \n/ip firewall nat add chain=dstnat action=redirect protocol=udp dst-port=\
    53 "
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Are you sure that cameras provide their service on ports 8001 and 8002? I’d guess they are actually using standard port 80 … in which case NAT rules should have “to-ports=80” set.

(1) recommend change this rule:
from:
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN

TO:
add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat
add action=drop chain=forward comment=“Drop all else”

(2) As MKX very sideways alluded, there appears to be nothing intrinsically wrong with the config to prevent your desired traffic. Hence his query on confirming correct port allocation.
It would seem you probably are attempting port translation, so the dst-port = PORT HITTING THE ROUTER, to-port = PORT REACHING THE SERVER. The router does the switcheroo for you.

(3) If not using IPV6, ensure its disabled…

I have mainly used the default firewall rules. there is an entry

add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN

(see config above)

That seems like it may be blocking requests to the camera - what dyou think ?

The ports 8001 (camera 1) and 8002 (camera 2) are what are recommended in the camera instructions and setup in the camera config (as well as port 80). I spose I could try port 80 too but maybe slightly less secure.

Did you make the changes to your firewall rules as @anav suggested you earlier in the topic and later mentioned again by @llamajaja?

Can you confirm that cameras are using only those ports ? What camera brand are you using ?

I think I have made all the changes, thats why I showed the config.
I am only using those ports.
I don’t understand what @llamajaja means by
It would seem you probably are attempting port translation, so the dst-port = PORT HITTING THE ROUTER, to-port = PORT REACHING THE SERVER. The router does the switcheroo for you.

The cameras are Mobotix M16.
I had this working after @anav’s advice. The only thing I did in the interim was try to install back to home from my phone but it seemed to slow my connection down on the LAN so I tried to remove it.

It is now working,
as @anav said 'DO NOT USE source address 0.0.0.0USE DST PORT not src port ’ did it.

Now I just need to work out how to make it avaialble from LAN as @anav said

I would like to be able to view my cameras from the LAN. Here is my NAT config. Neither camera work when viewed from the LAN but are fine from the WAN, - I tried the port number in the second one to see if it made a difference but no.

model = RB5009UPr+S+
# serial number = HDA08BKAFKG
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=front dst-port=8001 in-interface-list=WAN protocol=tcp to-addresses=192.168.88.254 to-ports=8001
add action=dst-nat chain=dstnat comment=back dst-port=8002 in-interface-list=WAN protocol=tcp to-addresses=192.168.88.253 to-ports=8002
add action=masquerade chain=srcnat dst-address=192.168.88.254 protocol=tcp src-address=192.168.88.0/24
add action=masquerade chain=srcnat dst-address=192.168.88.253 protocol=tcp src-address=192.168.88.0/24 to-ports=8002