Unable access IP camera from external device

andy999 · October 26, 2020, 3:55pm

Hi,

Have just purchased a couple of HAP ac2 devices. I would like to open 8080 to access our IP camera when away from home. We have a Draytek in front of the HAP ac2 which obtains a dynamic IP address.

Our device firewall filter settings are as provided by Mikrotik out of the box for the ac2:

 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 1    ;;; defconf: accept established,related,untracked
      chain=input action=accept connection-state=established,related,untracked 

 2    ;;; defconf: drop invalid
      chain=input action=drop connection-state=invalid 

 3    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp in-interface-list=LAN log=no log-prefix="" 

 4    ;;; defconf: drop all not coming from LAN
      chain=input action=drop in-interface-list=!LAN 

 5    ;;; defconf: accept in ipsec policy
      chain=forward action=accept ipsec-policy=in,ipsec 

 6    ;;; defconf: accept out ipsec policy
      chain=forward action=accept ipsec-policy=out,ipsec 

 7    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection connection-state=established,related 

 8    ;;; defconf: accept established,related, untracked
      chain=forward action=accept connection-state=established,related,untracked 

 9    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid 

10    ;;; defconf:  drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN log=no log-prefix=""

I am new to configuring these devices (or any others) after years of simple to configure TPLINK’s, but after some research thought a NAT forwarding rule would do it so added rule 1 to our NAT settings:

0    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface-list=WAN ipsec-policy=out,none 

1    chain=dstnat action=dst-nat to-addresses=192.168.88.218 to-ports=8080 protocol=tcp dst-port=8080 log=no log-prefix=""

This unfortunately does not work, the port is open, but the connection times out. The odd thing is, I thought I tried this with the camera using port 80 and it did work, but then I couldn’t get to the HAP ac2’s admin page via port 80. So ok, change the camera port to 8080 and all will be fine. It wasn’t I also tried UPNP and the camera added NAT entries but still I did not allow access to the camera from outside.

Can anyone see what I have done wrong and help with this, is there any other config I would need to share?

Andy

plisken · November 3, 2020, 7:55pm

Hello, You have to forward two ports. The RTSP port is usually 554 which stands for real time streaming protocol and the http port usually 80 or 443.
I hope to have helped you.
Greatings

anav · November 3, 2020, 8:23pm

Are you saying the draytek gets a public IP and the hapac a private IP from the draytek (aka already on a LAN)???