Community discussions

MUM Europe 2020
 
Norman29
just joined
Topic Author
Posts: 10
Joined: Sat Feb 08, 2014 9:08 pm

cannot access ip-camera from the outside

Thu Mar 13, 2014 7:49 pm

I can access almost everything from the outside.
The only thing i can not access is my ip-camera??
I narrowed it down to one rule that is causing the problem:
/ip firewall filter
add action=drop chain=forward comment=\ "Drop all other traffic through the router" \ disabled=no
If i enable this rule i cannot access the camera, if i disable this rule the camera can be viewed.
But then i get all sorts of other unwanted traffic. So i want that rule enabled.

I tried it with adding a nat rule (which is the "solution" you'll find all over the internet):
/ip firewall nat
add action=dst-nat chain=dstnat disabled=no dst-address=86.86.86.860 dst-port=6080 protocol=tcp to-addresses=192.168.0.5 to-ports=6080
I can see that traffic is generated because the counter is running as soon as i start the camera, but there's no connection to the camera.

How can i get this cam working with the forward chain rule still active?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 2950
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: cannot access ip-camera from the outside

Thu Mar 13, 2014 7:57 pm

Enter inside the config of camera and read ALL ports the camera use.
Both TCP and UDP

In Firewall / Connection tracking use filter to see only the ip of your camera and see what port and protocol it use for working.

Create firewall rules accordingly
I'm Italian, not English. Sorry for my imperfect grammar.
 
efaden
Forum Guru
Forum Guru
Posts: 1711
Joined: Sat Mar 30, 2013 1:55 am
Location: New York, USA

Re: cannot access ip-camera from the outside

Thu Mar 13, 2014 8:31 pm

I can access almost everything from the outside.
The only thing i can not access is my ip-camera??
I narrowed it down to one rule that is causing the problem:
/ip firewall filter
add action=drop chain=forward comment=\ "Drop all other traffic through the router" \ disabled=no
If i enable this rule i cannot access the camera, if i disable this rule the camera can be viewed.
But then i get all sorts of other unwanted traffic. So i want that rule enabled.

I tried it with adding a nat rule (which is the "solution" you'll find all over the internet):
/ip firewall nat
add action=dst-nat chain=dstnat disabled=no dst-address=86.86.86.860 dst-port=6080 protocol=tcp to-addresses=192.168.0.5 to-ports=6080
I can see that traffic is generated because the counter is running as soon as i start the camera, but there's no connection to the camera.

How can i get this cam working with the forward chain rule still active?
The DST-NAT rule only changes the incoming packet. If you have a default drop in the forward you need a rule above it to allow that incoming request..

you'll want something like:

ros code

/ip firewall filter
add chain=forward dst-address=192.168.0.5 protocol=tcp port=6080
That will actually allow the request...

Basically look at the packet flow diagram... first the packet hits the nat chains and gets changed... then it hits the forward chain... so you need both the DSTNAT and the Accept if you want it to work...

EDIT: NOTE!!! the forward rule will have to match the packet AFTER the NAT... so noticed I used the internal ip and the forwarded port.
 
Norman29
just joined
Topic Author
Posts: 10
Joined: Sat Feb 08, 2014 9:08 pm

Re: cannot access ip-camera from the outside

Fri Mar 14, 2014 2:24 pm

The DST-NAT rule only changes the incoming packet. If you have a default drop in the forward you need a rule above it to allow that incoming request..

you'll want something like:

ros code

/ip firewall filter
add chain=forward dst-address=192.168.0.5 protocol=tcp port=6080
That will actually allow the request...

Basically look at the packet flow diagram... first the packet hits the nat chains and gets changed... then it hits the forward chain... so you need both the DSTNAT and the Accept if you want it to work...

EDIT: NOTE!!! the forward rule will have to match the packet AFTER the NAT... so noticed I used the internal ip and the forwarded port.
Great! 8) That worked. So frustrating and yet so logical to get that problem fixed...
Thanx for your help!
 
efaden
Forum Guru
Forum Guru
Posts: 1711
Joined: Sat Mar 30, 2013 1:55 am
Location: New York, USA

Re: cannot access ip-camera from the outside

Fri Mar 14, 2014 7:22 pm

The DST-NAT rule only changes the incoming packet. If you have a default drop in the forward you need a rule above it to allow that incoming request..

you'll want something like:

ros code

/ip firewall filter
add chain=forward dst-address=192.168.0.5 protocol=tcp port=6080
That will actually allow the request...

Basically look at the packet flow diagram... first the packet hits the nat chains and gets changed... then it hits the forward chain... so you need both the DSTNAT and the Accept if you want it to work...

EDIT: NOTE!!! the forward rule will have to match the packet AFTER the NAT... so noticed I used the internal ip and the forwarded port.
Great! 8) That worked. So frustrating and yet so logical to get that problem fixed...
Thanx for your help!
No problem.
 
francisuk24
newbie
Posts: 28
Joined: Tue Mar 18, 2014 12:10 am
Location: United Kingdom
Contact:

Re: cannot access ip-camera from the outside

Mon Mar 31, 2014 4:01 am

Just wonted to add, i was having problems port forwarding using NAT but this seemed to work for me.
Replace 192.168.1.8 with your internal IP cam and port 8081

/ip firewall nat
add chain=dstnat action=dst-nat to-addresses=192.168.1.8 to-ports=8081 protocol=tcp dst-port=8081
RouterBoard RB750R2, RouterOS Level 4
ISP: Zen Internet via VDSL 2 > 74.68Mb Down / 17.84Mb Up

Who is online

Users browsing this forum: CZFan, k6ccc, MSN [Bot], r0ckr and 58 guests