Community discussions

MikroTik App
 
vester11
just joined
Topic Author
Posts: 7
Joined: Tue Nov 03, 2020 8:53 pm

Can't access IP camera from Internet

Wed Aug 25, 2021 11:16 am

Hi everyone

I have connected IP camera in my local network and every think working fine.But I can"t access from internet(outside). I try meny tutorials how forward ports but not one of them working.My main router is RB450Gx4. I have static IP. Can enyone help me setup this??
[admin@MikroTik] > export hide-sensitive 
# aug/25/2021 09:02:38 by RouterOS 6.47.9
# software id = 5V87-V0VA
#
# model = RB450Gx4
# serial number = B8D00BDDF2C5
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 use-peer-dns=yes user=exdxhm6@integra
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.200-192.168.1.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge lease-time=1d name=defconf
/system logging action
set 3 remote=192.168.1.10
/user group
add name=ftp policy=ftp,read,!local,!telnet,!ssh,!reboot,!write,!policy,!test,!winbox,!password,!web,!sniff,!sensitive,!api,!romon,!dude,!tikapp
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=none
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.1.1/24 comment=defconf interface=ether2 network=192.168.1.0
/ip arp
add address=192.168.1.2 comment=openwrt_tp-link interface=bridge mac-address=XX:XX:XX:XX:XX:XX
add address=192.168.1.3 comment=Q300_1 interface=bridge mac-address=XX:XX:XX:XX:XX:XX
add address=192.168.1.4 comment=Q300_2 interface=bridge mac-address=XX:XX:XX:XX:XX:XX
add address=192.168.1.10 comment=omv interface=bridge mac-address=XX:XX:XX:XX:XX:XX
add address=192.168.1.5 comment=TP-Link interface=bridge mac-address=XX:XX:XX:XX:XX:XX
add address=192.168.1.6 comment=toto_1 interface=bridge mac-address=XX:XX:XX:XX:XX:XX
add address=192.168.1.7 comment=toto_2 interface=bridge mac-address=XX:XX:XX:XX:XX:XX
add address=192.168.1.98 comment=kamerka interface=bridge mac-address=XX:XX:XX:XX:XX:XX
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.1.10 comment=omv mac-address=XX:XX:XX:XX:XX:XX server=defconf
add address=192.168.1.50 comment=PS4 mac-address=XX:XX:XX:XX:XX:XX server=defconf
add address=192.168.1.52 client-id=1:XX:XX:XX:XX:XX:XX comment=LGwebOSTV mac-address=XX:XX:XX:XX:XX:XX server=defconf
add address=192.168.1.51 client-id=1:XX:XX:XX:XX:XX:XX comment=sylwek-MS-7A71 mac-address=XX:XX:XX:XX:XX:XX server=defconf
add address=192.168.1.56 client-id=1:XX:XX:XX:XX:XX:XX comment="DIXONS-JVC TV" mac-address=XX:XX:XX:XX:XX:XX server=defconf
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=1.1.1.1,1.0.0.1,8.8.8.8,8.8.4.4 gateway=192.168.1.1 netmask=24
/ip dns
set servers=1.1.1.1,1.0.0.1
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=forward connection-nat-state=dstnat
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=51413 protocol=tcp to-addresses=192.168.1.10 to-ports=51413
add action=dst-nat chain=dstnat dst-port=51413 protocol=udp to-addresses=192.168.1.10 to-ports=51413
/ip service
set telnet disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Warsaw
/system logging
add action=remote topics=error
add action=remote topics=info
add action=remote topics=warning
/system ntp client
set enabled=yes primary-ntp=159.253.242.123 secondary-ntp=162.159.200.123
/system package update
set channel=long-term
/system scheduler
add interval=1h name=schedulerUpdateHoleCertDomains on-event=scriptUpdateHoleCertDomains policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=mar/23/2020 start-time=00:55:00
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Can't access IP camera from Internet

Wed Aug 25, 2021 4:03 pm

The ip address should relfect interface bridge
/ip address
add address=192.168.1.1/24 comment=defconf interface=ether2 network=192.168.1.0

Are you trying to access the IP camera from behind the router (in which case you will need hairpin nat) if its simply from external locations,
then the right combination of firewall rules and dstnat should work.

/ip firewall nat (MODIFY CONFIG)
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=51413 protocol=tcp to-addresses=192.168.1.10 to-ports=51413
add action=dst-nat chain=dstnat dst-port=51413 protocol=udp to-addresses=192.168.1.10 to-ports=51413


add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=51413 protocol=tcp to-addresses=192.168.1.10 to-ports=51413 in-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=51413 protocol=udp to-addresses=192.168.1.10 to-ports=51413 in-interface-list=WAN
 
vester11
just joined
Topic Author
Posts: 7
Joined: Tue Nov 03, 2020 8:53 pm

Re: Can't access IP camera from Internet

Wed Aug 25, 2021 8:46 pm

Thanks for answer
Are you trying to access the IP camera from behind the router

Yes, I trying to access the IP camera from my phone (mobile network LTE). I using for that my public Ip (static) my_public_ip:port

These two rules are not for my IP camera. it's for my bittorrent client.
add action=dst-nat chain=dstnat dst-port=51413 protocol=tcp to-addresses=192.168.1.10 to-ports=51413
add action=dst-nat chain=dstnat dst-port=51413 protocol=udp to-addresses=192.168.1.10 to-ports=51413
So I need add two new rules. My camera have local IP adress 192.168.1.98:4321 So the rules should be like this?
add action=dst-nat chain=dstnat dst-port=4321 protocol=tcp to-addresses=192.168.1.98 to-ports=4321 in-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=4321 protocol=udp to-addresses=192.168.1.98 to-ports=4321 in-interface-list=WAN
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Can't access IP camera from Internet

Wed Aug 25, 2021 9:08 pm

yes that is correct.

The problem is anybody in the world can also view your IP camera!!
If you have it password protected that can be hacked very quickly.
Access should only be via https or FTPs or some sort of encrypted means.
 
vester11
just joined
Topic Author
Posts: 7
Joined: Tue Nov 03, 2020 8:53 pm

Re: Can't access IP camera from Internet

Wed Aug 25, 2021 9:22 pm

I try that rules but still not working.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Can't access IP camera from Internet

Wed Aug 25, 2021 11:41 pm

Please repost your latest config......
/export hide-sensitive file=anynameyouwish
 
vester11
just joined
Topic Author
Posts: 7
Joined: Tue Nov 03, 2020 8:53 pm

Re: Can't access IP camera from Internet

Thu Aug 26, 2021 10:38 am

Here you have my last config:
# aug/26/2021 09:27:48 by RouterOS 6.47.9
# software id = 5V87-V0VA
#
# model = RB450Gx4
# serial number = B8D00BDDF2C5
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
    use-peer-dns=yes user=exdxhm6@integra
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.200-192.168.1.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge lease-time=1d name=defconf
/system logging action
set 3 remote=192.168.1.10
/user group
add name=ftp policy="ftp,read,!local,!telnet,!ssh,!reboot,!write,!policy,!test\
    ,!winbox,!password,!web,!sniff,!sensitive,!api,!romon,!dude,!tikapp"
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=none
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.1.1/24 comment=defconf interface=ether2 network=\
    192.168.1.0
/ip arp
add address=192.168.1.2 comment=openwrt_tp-link interface=bridge mac-address=\
    XX:XX:XX:XX:XX:XX
add address=192.168.1.3 comment=Q300_1 interface=bridge mac-address=\
    XX:XX:XX:XX:XX:XX
add address=192.168.1.4 comment=Q300_2 interface=bridge mac-address=\
    XX:XX:XX:XX:XX:XX
add address=192.168.1.10 comment=omv interface=bridge mac-address=\
    XX:XX:XX:XX:XX:XX
add address=192.168.1.5 comment=TP-Link interface=bridge mac-address=\
    XX:XX:XX:XX:XX:XX
add address=192.168.1.6 comment=toto_1 interface=bridge mac-address=\
    XX:XX:XX:XX:XX:XX
add address=192.168.1.7 comment=toto_2 interface=bridge mac-address=\
    XX:XX:XX:XX:XX:XX
add address=192.168.1.98 comment=kamerka interface=bridge mac-address=\
    XX:XX:XX:XX:XX:XX
/ip cloud
set update-time=no
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.1.10 comment=omv mac-address=XX:XX:XX:XX:XX:XX server=\
    defconf
add address=192.168.1.50 comment=PS4 mac-address=XX:XX:XX:XX:XX:XX server=\
    defconf
add address=192.168.1.52 client-id=1:XX:XX:XX:XX:XX:XX comment=LGwebOSTV \
    mac-address=XX:XX:XX:XX:XX:XX server=defconf
add address=192.168.1.51 client-id=1:XX:XX:XX:XX:XX:XX comment=sylwek-MS-7A71 \
    mac-address=XX:XX:XX:XX:XX:XX server=defconf
add address=192.168.1.56 client-id=1:XX:XX:XX:XX:XX:XX comment=\
    "DIXONS-JVC TV" mac-address=XX:XX:XX:XX:XX:XX server=defconf
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=\
    1.1.1.1,1.0.0.1,8.8.8.8,8.8.4.4 gateway=192.168.1.1 netmask=24
/ip dns
set servers=1.1.1.1,1.0.0.1
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=accept chain=forward connection-nat-state=dstnat
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=51413 protocol=tcp to-addresses=\
    192.168.1.10 to-ports=51413
add action=dst-nat chain=dstnat dst-port=51413 protocol=udp to-addresses=\
    192.168.1.10 to-ports=51413
add action=dst-nat chain=dstnat dst-port=4321 in-interface-list=WAN protocol=\
    tcp to-addresses=192.168.1.98 to-ports=4321
add action=dst-nat chain=dstnat dst-port=4321 in-interface-list=WAN protocol=\
    udp to-addresses=192.168.1.98 to-ports=4321
/ip service
set telnet disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Warsaw
/system logging
add action=remote topics=error
add action=remote topics=info
add action=remote topics=warning
/system ntp client
set enabled=yes primary-ntp=159.253.242.123 secondary-ntp=162.159.200.123
/system package update
set channel=long-term
/system scheduler
add interval=1h name=schedulerUpdateHoleCertDomains on-event=\
    scriptUpdateHoleCertDomains policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=mar/23/2020 start-time=00:55:00
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
I can say only when I try to access camera from outside my_public_ip:4321 i get time out. Then I go to IP>Firewal>NAT and first rule tcp are receiving some packages . udp rule nothing.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Can't access IP camera from Internet

Thu Aug 26, 2021 2:11 pm

You have not made the corrections yet ?????????????

(1) The interface is wrong here, it should be bridge
/ip address
add address=192.168.1.1/24 comment=defconf interface=ether2 network=\
192.168.1.0

(2) Not that it will likely make a difference but suggest change NONE to LAN.
/ip neighbor discovery-settings
set discover-interface-list=none

The two rules for port forwarding for bitorrent also require in-interface-list=WAN
but other than the above I dont see anything wrong with the config.

Suggest you look at the PC that your server is on and suggest maybe a firewall blocking traffic
or the software of the device has a feature that blocks traffic????

If you access the IP camera from the LAN directly via the LANIIP address, can you access the feed??
 
vester11
just joined
Topic Author
Posts: 7
Joined: Tue Nov 03, 2020 8:53 pm

Re: Can't access IP camera from Internet

Thu Aug 26, 2021 4:08 pm

(1) The interface is wrong here, it should be bridge
/ip address
add address=192.168.1.1/24 comment=defconf interface=ether2 network=\
192.168.1.0

(2) Not that it will likely make a difference but suggest change NONE to LAN.
/ip neighbor discovery-settings
set discover-interface-list=none
Oh Sorry. Now all changes is done.

Suggest you look at the PC that your server is on and suggest maybe a firewall blocking traffic
or the software of the device has a feature that blocks traffic????

If you access the IP camera from the LAN directly via the LANIIP address, can you access the feed??
Sorry but I don't understand, my English isn't very good.


Yes you have right configuration RB450x4 is fine. I install IP Webcam app on second phone (LANIP 192.168.1.205:12345) and after add new rules I can login via my_local_ip:12345.
It's something wrong with my network configuration. Can You help with this????
My network diagram
download/file.php?mode=view&id=48277
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Can't access IP camera from Internet

Thu Aug 26, 2021 5:42 pm

Okay now I am very confused by your diagram.

What are you trying to do ???
I thought you were using your cell phone to connect to your router on the internet and then accessing an IP camera on your home network.

cellphone -----> DATA -----> Cellphone company-------> Internet --------> ISP modem ----------> Your router---------> LAN subnet ------> IP camera

Is this the process??
Now you are introducing a whole hockey sock of other wifi devices not mentioned.......................... of course nothing works if you dont tell the WHOLE truth. :-)
 
vester11
just joined
Topic Author
Posts: 7
Joined: Tue Nov 03, 2020 8:53 pm

Re: Can't access IP camera from Internet

Thu Aug 26, 2021 9:55 pm

What are you trying to do ???
I thought you were using your cell phone to connect to your router on the internet and then accessing an IP camera on your home network.

cellphone -----> DATA -----> Cellphone company-------> Internet --------> ISP modem ----------> Your router---------> LAN subnet ------> IP camera
And You have right. I'm using two cell phones.
One of them for login from outside. cellphone -----> DATA -----> Cellphone company-------> Internet --------> ISP modem ----------> Your router---------> LAN subnet ------> IP camera
and this not working.
So I install IP Webcam app (your phone is working like a IP Camera) on second cell phone connected via wifi to TP-link TL-WR841N/ND (add new rules to RB450x4
add action=dst-nat chain=dstnat dst-port=12345 in-interface-list=WAN protocol=tcp to-addresses=192.168.1.205 to-ports=12345
add action=dst-nat chain=dstnat dst-port=12345 in-interface-list=WAN protocol=udp to-addresses=192.168.1.205 to-ports=12345
) for just make sure rules really don't work and after I try access from first phone by mobile network to second phone( this one with IP Webcam)and I get access. So I knew that rules a good. like you say.
I don't see anything wrong with the config
.

So I go to my neighbor, connect cell phone (this one with IP Webcam) via wifi to his router TP-link TD-W9970 and I still have access from outside via mobile network but don't have access to IP camera.
Then connect cell phone (this one with IP Webcam) via wifi to Toto link N151RT (this one in workshop) and again I have access from outside but don't have access to IP camera
So I think the problem must be with camera configuration. So I reset to factory default , configured again. And check configuration RB450x4 again. And I find in IP>ARP. I have address reservation for IP camera with wrong mac address so i disabled. After that every think working fine. I get access from outside to ip camera. But now I don't knew what was problem bad camera configuration or wrong mac address :D
I hope you understand anything I wrote :lol:
my English isn't very good
Sorry. My English is poor :lol: :lol: :lol:

And almost forgot ,Thank You Very Much for Your Help.

Who is online

Users browsing this forum: Bing [Bot], diasdm and 35 guests