Community discussions

 
ignasand
just joined
Topic Author
Posts: 4
Joined: Mon Feb 18, 2019 8:58 am

wyze cam port forwarding

Mon Feb 18, 2019 10:15 am

Hi,
first of all I am not a CS specialist, so sorry for my unclear descriptions.
I have RB951G-2HnD, OS v6.43.8. I am having trouble connecting cloud camera Wyze Cam V2.
I have found that UDP and TCP ports need to be open (as I understand OPEN == FORWARDING).
One source claim that "UDP: open all ports
TCP: Open port 22, 80, 8000, 443, 21047, 10001
";
Onother: "You do need to have ports open! Here are the ports required for optimal use: TCP: 80, 123, 443, 8000, 8605, 10001, 10002, and 22345. UDP: 80 and 443"
I tried to open those ports, but did not succeded.

Camera gets it's local ip adress (192.168.88.** checked via winbox) but could not connect to internet (blinking led on camera indicate that there is no connection)
I was wondering maybe I can remove some firewall or NAT filter rule? Or quickly open all ports with simple command?

Firewall filters:
[admin@MikroTik] > /ip firewall filter print 
Flags: X - disabled, I - invalid, D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 1    ;;; defconf: accept established,related,untracked
      chain=input action=accept connection-state=established,related,untracked 

 2    ;;; defconf: drop invalid
      chain=input action=drop connection-state=invalid 

 3    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp 

 4    ;;; defconf: drop all not coming from LAN
      chain=input action=drop in-interface-list=!LAN 

 5    ;;; defconf: accept in ipsec policy
      chain=forward action=accept ipsec-policy=in,ipsec 

 6    ;;; defconf: accept out ipsec policy
      chain=forward action=accept ipsec-policy=out,ipsec 

 7    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection connection-state=established,related 

 8    ;;; defconf: accept established,related, untracked
      chain=forward action=accept connection-state=established,related,untracked 

 9    ;;; defconf: drop invalid

[admin@MikroTik] > 

All kind of advices are welcome.
Thank you for your time,
Ignas
 
ignasand
just joined
Topic Author
Posts: 4
Joined: Mon Feb 18, 2019 8:58 am

Re: wyze cam port forwarding

Fri Apr 19, 2019 9:56 am

Quick note:
if I disable default NAT rule masquerade (when camera tries to connect to wifi) and enable it after few seconds, everything works fine.
 
anav
Forum Guru
Forum Guru
Posts: 2975
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: wyze cam port forwarding

Fri Apr 19, 2019 5:30 pm

My recommendation is to get rid of any modern device that depends upon you open up your router to the world of insecurity.
Nothing I read with any validity suggests you need any port forwarding.

The issue is most likely your config. Please post.

/export hide-sensitive file=yourconfig
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
User avatar
k6ccc
Member
Member
Posts: 479
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)

Re: wyze cam port forwarding

Fri Apr 19, 2019 6:44 pm

I can absolutely assure you that the Wyze cameras do NOT require anything "special" to be opened on a reasonably normal router configuration. As long as a LAN device can get to the internet and responses get back to it, it will connect just fine.
I have 13 Wyze cameras (2 Pans and 11 V2). Other than putting them on their own LAN and WiFi, I did nothing abnormal (I don't entirely trust Chinese camera inside my firewall).
RB750Gr3, RB750r2, CRS326-24G-2S (in SwitchOS), CSS326-24G-2S, CSS106-5G-1S, RB260GS
Not sure if I beat them in submission, or they beat me into submission


Jim
 
anav
Forum Guru
Forum Guru
Posts: 2975
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: wyze cam port forwarding

Fri Apr 19, 2019 9:37 pm

I can absolutely assure you that the Wyze cameras do NOT require anything "special" to be opened on a reasonably normal router configuration. As long as a LAN device can get to the internet and responses get back to it, it will connect just fine.
I have 13 Wyze cameras (2 Pans and 11 V2). Other than putting them on their own LAN and WiFi, I did nothing abnormal (I don't entirely trust Chinese camera inside my firewall).
@K6ccc, the only reason your cloud video is filtered through the chinese army servers is to ensure that all your house porn is stored safely. ;-)
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
ignasand
just joined
Topic Author
Posts: 4
Joined: Mon Feb 18, 2019 8:58 am

Re: wyze cam port forwarding

Sun Apr 21, 2019 9:31 am

My recommendation is to get rid of any modern device that depends upon you open up your router to the world of insecurity.
Nothing I read with any validity suggests you need any port forwarding.

The issue is most likely your config. Please post.

/export hide-sensitive file=yourconfig
Hi,
Thank you for reply.
Here is my config script
# apr/21/2019 09:22:47 by RouterOS 6.43.8
# software id = XRIV-K778
#
# model = 951G-2HnD
# serial number = 557E0451F7D0
/interface bridge
add admin-mac=4C:5E:0C:E0:B5:E7 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=\
    "Slice of Life" wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=\
    192.168.88.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
    ether1
/ip dhcp-server lease
add address=192.168.88.73 client-id=1:2c:aa:8e:5:15:26 comment=wyze \
    mac-address=2C:AA:8E:05:15:26 server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=Europe/Vilnius
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1303
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: wyze cam port forwarding

Sun Apr 21, 2019 11:13 am

I do guess that wyze cam works as any other modern device.
You connect it on your inside LAN. Camera then connect to a cloud server.¨
When you are on a public internet, you connect to the cloudserver and see your camera info.

So no NAT, not port forwarding are needed. Just connect, register, sign inn etc.

If you on other hand have a high end camera like Axis and would like to stream directly from it, you need to forward a port to it. (if you do not get a high end software solution for it)
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
anav
Forum Guru
Forum Guru
Posts: 2975
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: wyze cam port forwarding

Sun Apr 21, 2019 4:55 pm

/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf

/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=\
192.168.88.0

You are in a conflict situation.
sol'n
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
ignasand
just joined
Topic Author
Posts: 4
Joined: Mon Feb 18, 2019 8:58 am

Re: wyze cam port forwarding

Mon Apr 22, 2019 9:51 am

/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf

/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=\
192.168.88.0

You are in a conflict situation.
sol'n
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
Hello,
thank you for help. I've never changed anything in this (ip address) part of settings, just few time reset router to factory settings. It's strange that there is conflict situation.
Despite this, I changed the settings as you suggested.

After all situation is still the same. Device connects to router (attached screenshot, it's selected on wireless clients list), but didn't get access to internet (blinking blue led on divece indicates that there is no internet connection).
As I mentioned before, the only (as I know) way to work around this problem is to disable default NAT rule (action: masquerade) for approximetly 10s. Device connects as soon as I enalbe this rule.

Here is the yourconfig.rsc after the corrections:
# apr/22/2019 09:25:17 by RouterOS 6.43.8
# software id = XRIV-K778
#
# model = 951G-2HnD
# serial number = 557E0451F7D0
/interface bridge
add admin-mac=4C:5E:0C:E0:B5:E7 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=\
    "Slice of Life" wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
    ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=Europe/Vilnius
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

You do not have the required permissions to view the files attached to this post.

Who is online

Users browsing this forum: Majestic-12 [Bot] and 32 guests