Community discussions

MUM Europe 2020
 
wingchun007
just joined
Topic Author
Posts: 4
Joined: Tue Dec 18, 2012 5:31 am

IP Camera Port forwarding

Tue Dec 18, 2012 6:35 am

Hi all,

This is a newbie question.
I have a RouterBoard 450G, running RouterOS 5.11. I'm trying to put an IP camera on
the LAN, and access it on our WAN network.

Camera IP = 192.168.88.51
WAN interface IP = 192.168.1.117

The camera uses 3 ports:

Port 6080 = camera web server
Port 6001 = camera control
Port 6002 = camera streaming

To access camera from the WAN, I have implemented a masquerade rule:

0 chain=srcnat action=masquerade out-interface=ether1-gateway

And destination NAT rules for the 3 ports:

1 ;;; Forward camera web port
chain=dstnat action=dst-nat to-addresses=192.168.88.51 to-ports=6080
protocol=tcp dst-address=192.168.1.117

2 ;;; Forward camera control port
chain=dstnat action=dst-nat to-addresses=192.168.88.51 to-ports=6001
protocol=tcp dst-address=192.168.1.117

3 ;;; Forward camera streaming port
chain=dstnat action=dst-nat to-addresses=192.168.88.51 to-ports=6002
protocol=tcp dst-address=192.168.1.117

From these rules, I can access the camera's web server, but cannot get video.

Then I tried to add source NAT rules for the 3 camera ports:

4 chain=srcnat action=src-nat to-addresses=192.168.1.117 protocol=tcp
src-address=192.168.88.51 src-port=6080

5 chain=srcnat action=src-nat to-addresses=192.168.1.117 protocol=tcp
src-address=192.168.88.51 src-port=6001

6 chain=srcnat action=src-nat to-addresses=192.168.1.117 protocol=tcp
src-address=192.168.88.51 src-port=6002

But still cannot get video. However, I was able to open the 3 camera ports on a
Cisco RVS4000 router/firewall, and it works. Video and full web control of camera.

Any suggestions? Thanks.
 
Discus
newbie
Posts: 36
Joined: Fri Nov 13, 2009 1:55 pm
Location: South Africa

Re: IP Camera Port forwarding

Tue Dec 18, 2012 1:09 pm

I think you have your to-addresses and dst-address backwards?

If we assume the WAN address you'd like to have ports forwarded to the camera is 192.168.1.117 and the camera's assigned LAN IP address is 192.168.88.51, a rule like:
 chain=dstnat action=dst-nat to-addresses=192.168.1.114 to-ports=6080 protocol=tcp dst-address=192.168.88.51 dst-port=6080 
(repeat for the other ports)
should work.

Also, make sure that the protocol is indeed supposed to be TCP, not UDP for all ports. Many video streams are UDP. To test this, simply replicate all 3 rules and make the protocol UDP. if you see the packet count go up, you can bet you're supposed to be doing UDP for those ports for which it increments. :)
 
User avatar
cbrown
Trainer
Trainer
Posts: 1840
Joined: Thu Oct 14, 2010 8:57 pm
Contact:

Re: IP Camera Port forwarding

Tue Dec 18, 2012 2:21 pm

He has the rule reading the right direction but has specified the ports wrong. Right now your rule reads ANYTHING going to 192.168.1.117 dst-nat to 192.168.88.51 port 6080. Which means traffic going to the other ports specified never makes it because it matches this rule first and goes to this port.

It should look more like this. This is also assuming your camera is using TCP and not UDP. If it is using UDP just switch the protocol to UDP.
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=192.168.1.117 dst-port=6080 \
    protocol=tcp to-addresses=192.168.88.51
add action=dst-nat chain=dstnat dst-address=192.168.1.117 dst-port=6001 \
    protocol=tcp to-addresses=192.168.88.51
add action=dst-nat chain=dstnat dst-address=192.168.1.117 dst-port=6002 \
    protocol=tcp to-addresses=192.168.88.51
C.Brown

cbrown[at]ravenrocknetworks.com
MTCNA - MTCRE - MTCWE - MTCTCE
MTCSE - TRAINER-0179
 
wingchun007
just joined
Topic Author
Posts: 4
Joined: Tue Dec 18, 2012 5:31 am

Re: IP Camera Port forwarding

Tue Dec 18, 2012 11:48 pm

Thanks newbie and cbrown.

Yes, my packets are all TCP. I checked with wireshark. :)

cbrown, I tried your commands, but it still does not work. From the WAN, I can only see part of the web page
come up. Not the full web page, and no video.

Sorry for not providing more details. To clarify, the camera is on LAN, and I am trying to access from WAN.

LAN network is 192.168.88.0/24 (I think this is how you specify class C network)
WAN network is 192.168.1.0/24
Camera IP = 192.168.88.51
WAN IP = 192.168.1.117

When opening browser on WAN, browser tries to talk to camera web port (6080). But the source port
never stays the same. In one session, the browser sends TCP packet on source port 1792 to destination
port 6080. If I logout and start a new browser session, the source port may be 1814 next time.

So is it correct to specify only dst-port? Do I need src-nat rules too?

thanks
 
gotsprings
Forum Veteran
Forum Veteran
Posts: 802
Joined: Mon May 14, 2012 9:30 pm

Re: IP Camera Port forwarding

Thu Dec 27, 2012 7:10 pm

Well that wan IP is class C so I don't know how you would reach that from the outside world.

But if that was just a place holder like...
Actual IP of the Mikrotik is whatever...

Cbrown's code is going to take any request hitting the router for the IP you provided and shunt it to the camera.
"It ain't what you don't know that gets you into trouble. It's what you know for sure that just ain't so."
Mark Twain
 
CelticComms
Forum Guru
Forum Guru
Posts: 1766
Joined: Wed May 02, 2012 5:48 am

Re: IP Camera Port forwarding

Fri Dec 28, 2012 12:44 pm

Well that wan IP is class C so I don't know how you would reach that from the outside world.
Class C addresses can be public or private. The OP's WAN address happens to be an RFC 1918 private address but that is not implied by it being "Class C".
Interlynx | Networking and Information Security Consultants & Trainers | Email: routerlynx@gmail.com
BGP | EIGRP | OSPF | MPLS | Firewall | VPN | IPsec | Multicast | QOS | IPv4/6 | STP | VLAN | PON | AE | M2M | and more!

 
wingchun007
just joined
Topic Author
Posts: 4
Joined: Tue Dec 18, 2012 5:31 am

Re: IP Camera Port forwarding

Fri Dec 28, 2012 10:56 pm

gotsprings, CelticComms,

Thanks for the reply.
I am on a class C private network which is protected by a firewall and gateway to the internet.
For my setup, I am calling it a WAN. Not sure if that is correct terminology.

Anyway, my Routerboard 450G WAN port is connected to this private class C network .
And my camera is on the LAN of this Routerboard.

I tried cbrown's commands, but I still cannot access camera from WAN port.
Interestingly, a replacing the routerboard with a Cisco RVS4000 router worked.
Of course, Cisco's web interface is very simple. You just go to Firewall->Port
range forwarding. And set a range of ports to open, and specify the IP address
within the LAN (of the camera).

I prefer to use the Routerboard because of its small size and built-in serial port.

Thanks.
 
CelticComms
Forum Guru
Forum Guru
Posts: 1766
Joined: Wed May 02, 2012 5:48 am

Re: IP Camera Port forwarding

Sat Dec 29, 2012 1:39 pm

Can you post the output from /export compact?
Interlynx | Networking and Information Security Consultants & Trainers | Email: routerlynx@gmail.com
BGP | EIGRP | OSPF | MPLS | Firewall | VPN | IPsec | Multicast | QOS | IPv4/6 | STP | VLAN | PON | AE | M2M | and more!

 
wingchun007
just joined
Topic Author
Posts: 4
Joined: Tue Dec 18, 2012 5:31 am

Re: IP Camera Port forwarding

Thu Jan 03, 2013 5:41 am

Hi CelticComms,

Happy New Year and thank you for responding.

I finally got full control of the camera through my Mikrotik firewall.
It turns out cbrown's commands were correct. Instead of copying and pasting
his commands, I "transposed" his commands, thinking the order of parameters did not matter.

Here are cbrown's commands (correct)

add action=dst-nat chain=dstnat dst-address=192.168.1.117 dst-port=6080 protocol=tcp to-addresses=192.168.88.51
add action=dst-nat chain=dstnat dst-address=192.168.1.117 dst-port=6001 protocol=tcp to-addresses=192.168.88.51
add action=dst-nat chain=dstnat dst-address=192.168.1.117 dst-port=6002 protocol=tcp to-addresses=192.168.88.51

Here are my commands (incorrect)

add chain=dstnat action=dst-nat to-addresses=192.168.88.51 dst-port=6080 protocol=tcp dst-address=192.168.1.117
add chain=dstnat action=dst-nat to-addresses=192.168.88.51 dst-port=6001 protocol=tcp dst-address=192.168.1.117
add chain=dstnat action=dst-nat to-addresses=192.168.88.51 dst-port=6002 protocol=tcp dst-address=192.168.1.117

Here's a newbie question. Both sets of commands contain the same parameters, but in different order.
What am I doing wrong?

Thanks again, cbrown, CelticComms, gotprings and everyone else.
 
CelticComms
Forum Guru
Forum Guru
Posts: 1766
Joined: Wed May 02, 2012 5:48 am

Re: IP Camera Port forwarding

Thu Jan 03, 2013 2:19 pm

Dst. Address provides the possibility to limit the rule to packets *originally destined* for Dst. Address.

To Addresses is the new address that these relevant traffic should be sent to via NAT.
Interlynx | Networking and Information Security Consultants & Trainers | Email: routerlynx@gmail.com
BGP | EIGRP | OSPF | MPLS | Firewall | VPN | IPsec | Multicast | QOS | IPv4/6 | STP | VLAN | PON | AE | M2M | and more!

 
mozzi001
just joined
Posts: 24
Joined: Sat Feb 13, 2016 6:24 pm

Re: IP Camera Port forwarding

Sun Feb 14, 2016 1:38 pm

hii all
can u help mee too with my ipcam
i have 3 ipcam
ipcam1 = 10.10.2.105 port 8800
ipcam1 = 10.10.2.106 port 8803
ipcam1 = 10.10.2.107 port 8805
and my ip wan = dynamic ( not static)
i use adsl modem for internet connection

i already make nat like posting before

add action=dst-nat chain=dstnat dst-port=8800 protocol=tcp to-addresses=10.10.2.105
add action=dst-nat chain=dstnat dst-port=8803 protocol=tcp to-addresses=10.10.2.106
add action=dst-nat chain=dstnat dst-port=8805 protocol=tcp to-addresses=10.10.2.107

but i cant get video from my phone or other network
please help me....

thanks
 
kiaunel
Member Candidate
Member Candidate
Posts: 211
Joined: Mon Jul 21, 2014 7:59 pm
Location: Romania

Re: IP Camera Port forwarding

Sun Feb 14, 2016 2:54 pm

chain=dstnat action=dst-nat to-addresses=10.10.2.105 to-ports=8800 protocol=tcp in-interface=wan dst-port=8800 log=no log-prefix=""
Also make sure camera have internet access, i mean to set gateway on camera... this is a common mistake, not to set gateway on ip camera
 
mozzi001
just joined
Posts: 24
Joined: Sat Feb 13, 2016 6:24 pm

Re: IP Camera Port forwarding

Sun Feb 14, 2016 3:45 pm

thanks to kiaunel for fast reply
so i need do that for 3 my ipcam....
can i ask again... how i can make my ipcam so i can get video from noip.com can u help me too....

thanks
 
kiaunel
Member Candidate
Member Candidate
Posts: 211
Joined: Mon Jul 21, 2014 7:59 pm
Location: Romania

Re: IP Camera Port forwarding

Sun Feb 14, 2016 3:56 pm

to use noip.com you have to use a custom script. Better use buildin dyndns :
[admin@Gateway] > ip cloud set ddns-enabled=yes
[admin@Gateway] > ip cloud print
ddns-enabled: yes
update-time: yes
public-address: 89.137.xx.xx
dns-name: 268xxxxxxxxxx.sn.mynetname.net
status: updated
[admin@Gateway] >
It is not a simple to remember host but it works :)
 
mozzi001
just joined
Posts: 24
Joined: Sat Feb 13, 2016 6:24 pm

Re: IP Camera Port forwarding

Sun Feb 14, 2016 5:32 pm

thanks again kiaunel
soo i dont have to put ddns to all my ipcam
i just need make one ddns on mikrotik??
 
kiaunel
Member Candidate
Member Candidate
Posts: 211
Joined: Mon Jul 21, 2014 7:59 pm
Location: Romania

Sun Feb 14, 2016 5:50 pm

Yes you will access camera like this http://mikrotik.host:cameraport

Sent from my Lenovo K50-t5 using Tapatalk
 
mozzi001
just joined
Posts: 24
Joined: Sat Feb 13, 2016 6:24 pm

Re: IP Camera Port forwarding

Mon Feb 15, 2016 2:18 am

Thanks before kiaunel
here all my config for my ipcam
but i still cant get video from my phone or i use other network to see my video

Image

Image

i get scrip for noip auto update ip wan
# No-IP automatic Dynamic DNS update

#--------------- Change Values in this section to match your setup ------------------

# No-IP User account info
:local noipuser "username ddns";
:local noippass "password ddns";

# Set the hostname or label of network to be updated.
:local noiphost "address noip.com";

# Change to the name of interface that gets the dynamic IP address
:local inetinterface "interface use pppoe-out";

#------------------------------------------------------------------------------------
# No more changes need

:global previousIP;

:if ([/interface get $inetinterface value-name=running]) do={
# Get the current IP on the interface
:local currentIP [/ip address get [find interface="$inetinterface" disabled=no] address];

# Strip the net mask off the IP address
:for i from=( [:len $currentIP] - 1) to=0 do={
:if ( [:pick $currentIP $i] = "/") do={
:set currentIP [:pick $currentIP 0 $i];
}
}

:if ($currentIP != $previousIP) do={
:log info "No-IP: Current IP $currentIP is not equal to previous IP, update needed";
:set previousIP $currentIP;
:local url "http://dynupdate.no-ip.com/nic/update\3Fmyip=$currentIP";
:log info "No-IP: Sending update for $noiphost";
/tool fetch url=($url . "&hostname=$noiphost") user=$noipuser password=$noippass mode=http dst-path=("no-ip_ddns_update-" . $host . ".txt")
:log info "No-IP: Host $noiphost updated on No-IP with IP $currentIP";

} else={
:log info "No-IP: Previous IP $previousIP is equal to current IP, no update needed";
}
} else={
:log info "No-IP: $inetinterface is not currently running, so therefore will not update.";
}


something wrong with my setting????
please helpp

thanks
 
kiaunel
Member Candidate
Member Candidate
Posts: 211
Joined: Mon Jul 21, 2014 7:59 pm
Location: Romania

Mon Feb 15, 2016 6:34 am

Where is located the other router( non mikrotik)? Make a simple network diagram so I can understand your setup I mean how cameras reach mikrotik? I see you have 192.168.5.0/24 on eth1 eth1 is not wan port? ppoe is not connected to eth1? can u ping camera ip from mikrotik?

Sent from my Lenovo K50-t5 using Tapatalk
 
mozzi001
just joined
Posts: 24
Joined: Sat Feb 13, 2016 6:24 pm

Re: IP Camera Port forwarding

Mon Feb 15, 2016 11:37 am

sorryy kiaunel
my network like this
i hope u understand now.... :D

Image

thanks
 
mozzi001
just joined
Posts: 24
Joined: Sat Feb 13, 2016 6:24 pm

Re: IP Camera Port forwarding

Mon Feb 15, 2016 12:01 pm

eth1 = connect to modem dsl
and i use pppoe to dialup to my modem dsl use eth1
ip wan on my mikrotik
i cant ping to ipcam from mikrotik..
tats i wanna know too :D


thanks
 
kiaunel
Member Candidate
Member Candidate
Posts: 211
Joined: Mon Jul 21, 2014 7:59 pm
Location: Romania

Mon Feb 15, 2016 4:08 pm

Why don't connect cameras after mikrotik? That way it will be much easier
If you can not do this remove dstnat from ADSL router and make sure land and wireless on DSL are bridged because you should have replys from camera on ping and move dstnat rules on Microtik. When you try to reach camera from outside you are accessing mikrotik on ppoe not lan on ADSL
Sent from my Lenovo K50-t5 using Tapatalk
 
mozzi001
just joined
Posts: 24
Joined: Sat Feb 13, 2016 6:24 pm

Re: IP Camera Port forwarding

Mon Feb 15, 2016 5:13 pm

bcos my dsl modem wifi can reach more area then my mikrotik haplite
and know i already can make ping from mikrotik to dsl modem
i change ip on modem dsl become 10.10.5.100 and on mikrotik eth1 change to 10.10.5.1 and gateway 10.10.5.1
so now i can ping from wifi modem dsl to mikrotik and the opposite
but still i cant see video from outside wan...
can u help me againn :D :D
 
mozzi001
just joined
Posts: 24
Joined: Sat Feb 13, 2016 6:24 pm

Re: IP Camera Port forwarding

Mon Feb 15, 2016 6:05 pm

solve......and... done
thanks u very much kiaunel
u help me soo much
now i can see my ipcam from outside wan
yohoooo.... :lol: :lol:

thanks again kiaunel
 
kiaunel
Member Candidate
Member Candidate
Posts: 211
Joined: Mon Jul 21, 2014 7:59 pm
Location: Romania

Mon Feb 15, 2016 6:07 pm

What did u do?

Sent from my Lenovo K50-t5 using Tapatalk
 
mozzi001
just joined
Posts: 24
Joined: Sat Feb 13, 2016 6:24 pm

Re: IP Camera Port forwarding

Mon Feb 15, 2016 7:02 pm

last i put nat like u tell me before
chain=dstnat action=dst-nat to-addresses=10.10.2.105 to-ports=8800 protocol=tcp in-interface=wan dst-port=8800 log=no log-prefix=""

i add nat for all my ipcam
and i disable nat on dsl modem
tats all i do

and thanks againn kiaunel
next time can i ask question again if i have a trouble.... :D
 
kiaunel
Member Candidate
Member Candidate
Posts: 211
Joined: Mon Jul 21, 2014 7:59 pm
Location: Romania

Re: IP Camera Port forwarding

Mon Feb 15, 2016 9:01 pm

you`re welcome... anytime.

Who is online

Users browsing this forum: No registered users and 28 guests