Community discussions

MikroTik App
 
Tsatsralt
just joined
Topic Author
Posts: 6
Joined: Fri Jul 22, 2022 4:37 am

Need help with port forwarding

Fri Jul 22, 2022 6:05 am

Hello guys.

New here and looking for an help. We have an NVR inside an local network and Microtik router on WAN. I have been trying to watch live view and playback video from PC client and mobile app from Internet. I've configured NAT and were able to log in using mobile app and PC client.
The problem is I can't watch any live feed or playback.

Tried 2 different NATs. disabled unnecessary NATs for now.
From what I saw, main 2 port that needed to watch live feed is 443 and 9100.

NVR is Dahua's DHI-DSS7016DR-S2.
I've hidden public IP for security concern.
Also I can watch and control NVR from the local network without any problem, so there is no need for additional configuration in NVR.

So I must be doing something wrong with the Mikrotik.
/ip firewall nat
add action=accept chain=srcnat dst-address-list=loc src-address-list=loc
add action=dst-nat chain=dstnat dst-address=[Public IP] dst-port=15455 \
    in-interface=ether1 protocol=tcp to-addresses=192.168.0.30 to-ports=443
add action=dst-nat chain=dstnat dst-address=[Public IP] dst-port=9100 \
    in-interface=ether1 protocol=tcp to-addresses=192.168.0.30 to-ports=9100
add action=dst-nat chain=dstnat dst-address=[Public IP] dst-port=8080 \
    in-interface=ether1 protocol=tcp to-addresses=192.168.0.30 to-ports=80
add action=masquerade chain=srcnat out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=ether1 src-address=\
    192.168.0.30
add action=dst-nat chain=dstnat disabled=yes dst-address=[Public IP] \
    dst-port=9090 in-interface=ether1 protocol=tcp to-addresses=192.168.0.30 \
    to-ports=9090
add action=dst-nat chain=dstnat disabled=yes dst-address=[Public IP] \
    dst-port=9320-9322 in-interface=ether1 protocol=tcp to-addresses=\
    192.168.0.30 to-ports=9320-9322
add action=dst-nat chain=dstnat disabled=yes dst-address=[Public IP] \
    dst-port=9010 in-interface=ether1 protocol=tcp to-addresses=192.168.0.30 \
    to-ports=9010
add action=dst-nat chain=dstnat disabled=yes dst-address=[Public IP] \
    dst-port=9200 in-interface=ether1 protocol=tcp to-addresses=192.168.0.30 \
    to-ports=9200
add action=dst-nat chain=dstnat disabled=yes dst-address=[Public IP] \
    dst-port=9600 in-interface=ether1 protocol=tcp to-addresses=192.168.0.30 \
    to-ports=9600
add action=dst-nat chain=dstnat disabled=yes dst-address=[Public IP] \
    dst-port=8081-8082 in-interface=ether1 protocol=tcp to-addresses=\
    192.168.0.30 to-ports=8081-8082
add action=dst-nat chain=dstnat disabled=yes dst-address=[Public IP] \
    dst-port=61616 in-interface=ether1 protocol=tcp to-addresses=192.168.0.30 \
    to-ports=61616
add action=dst-nat chain=dstnat disabled=yes dst-address=[Public IP] \
    dst-port=20000-30000 in-interface=ether1 protocol=tcp to-addresses=\
    192.168.0.30 to-ports=20000-30000
add action=dst-nat chain=dstnat disabled=yes dst-address=[Public IP] \
    dst-port=9000 in-interface=ether1 protocol=tcp to-addresses=192.168.0.30 \
    to-ports=9000
add action=dst-nat chain=dstnat disabled=yes dst-address=[Public IP] \
    dst-port=5080 in-interface=ether1 protocol=udp to-addresses=192.168.0.30 \
    to-ports=5080
add action=dst-nat chain=dstnat disabled=yes dst-address=[Public IP] \
    dst-port=554 in-interface=ether1 protocol=tcp to-addresses=192.168.0.30 \
    to-ports=554
add action=dst-nat chain=dstnat disabled=yes dst-address=[Public IP] \
    dst-port=40000-49999 protocol=tcp to-addresses=192.168.0.30 to-ports=\
    40000-49999
add action=dst-nat chain=dstnat disabled=yes dst-address=[Public IP] \
    dst-port=1883 in-interface=ether1 protocol=tcp to-addresses=192.168.0.30 \
    to-ports=1883
add action=dst-nat chain=dstnat disabled=yes dst-address=[Public IP] \
    dst-port=12366 in-interface=ether1 protocol=tcp to-addresses=192.168.0.30 \
    to-ports=12366
add action=dst-nat chain=dstnat disabled=yes dst-address=[Public IP] \
    dst-port=6379 in-interface=ether1 protocol=tcp to-addresses=192.168.0.30 \
    to-ports=6379
add action=dst-nat chain=dstnat disabled=yes dst-address=[Public IP] \
    dst-port=9400 in-interface=ether1 protocol=tcp to-addresses=192.168.0.30 \
    to-ports=9400
add action=dst-nat chain=dstnat disabled=yes dst-address=[Public IP] \
    dst-port=9550 in-interface=ether1 protocol=tcp to-addresses=192.168.0.30 \
    to-ports=9550
add action=dst-nat chain=dstnat disabled=yes dst-address=[Public IP] \
    dst-port=5060 in-interface=ether1 protocol=tcp to-addresses=192.168.0.30 \
    to-ports=5060
add action=dst-nat chain=dstnat disabled=yes dst-address=[Public IP] \
    dst-port=5672 in-interface=ether1 protocol=tcp to-addresses=192.168.0.30 \
    to-ports=5672
add action=dst-nat chain=dstnat disabled=yes dst-address=[Public IP] \
    dst-port=61613 in-interface=ether1 protocol=tcp to-addresses=192.168.0.30 \
    to-ports=61613
add action=dst-nat chain=dstnat disabled=yes dst-address=[Public IP] \
    dst-port=8161 in-interface=ether1 protocol=tcp to-addresses=192.168.0.30 \
    to-ports=8161
add action=dst-nat chain=dstnat disabled=yes dst-address=[Public IP] \
    dst-port=8080 in-interface=ether1 protocol=tcp to-addresses=192.168.0.30 \
    to-ports=8080
add action=dst-nat chain=dstnat disabled=yes dst-address=[Public IP] \
    dst-port=9500 in-interface=ether1 protocol=tcp to-addresses=192.168.0.30 \
    to-ports=9500
add action=dst-nat chain=dstnat disabled=yes dst-address=[Public IP] \
    dst-port=9900-9901 in-interface=ether1 protocol=tcp to-addresses=\
    192.168.0.30 to-ports=9900-9901
add action=dst-nat chain=dstnat disabled=yes dst-address=[Public IP] \
    dst-port=36962 in-interface=ether1 protocol=tcp to-addresses=192.168.0.30
add action=dst-nat chain=dstnat disabled=yes dst-address=[Public IP] \
    dst-port=61001-65000 in-interface=ether1 protocol=tcp to-addresses=\
    192.168.0.30 to-ports=61001-65000
add action=dst-nat chain=dstnat disabled=yes dst-address=[Public IP] \
    to-addresses=192.168.0.30
add action=src-nat chain=srcnat disabled=yes src-address=192.168.0.30 \
    to-addresses=[Public IP]
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 2098
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Krugersdorp (Home town of Brad Binder)
Contact:

Re: Need help with port forwarding

Fri Jul 22, 2022 8:52 pm

For a Dahua NVR at one of my clients, I had to forward the following only:

TCP 443,554,37777
UDP 37778

Maybe check your NVR requirements again?
 
Tsatsralt
just joined
Topic Author
Posts: 6
Joined: Fri Jul 22, 2022 4:37 am

Re: Need help with port forwarding

Mon Jul 25, 2022 4:13 am

Thank you for the suggestion.
I've asked Dahua support and configured as told. As you can see from the original post, I've configured the ports and still were unable to get video feed. I was successful at logging in to the NVR from the internet. Dahua support told me that I should check the network issue. So here I am.
Is there anything I've done wrong in the NAT? That's the question I have now.
I'll try the ports you've suggested and reply again.
Thanks again.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Need help with port forwarding

Mon Jul 25, 2022 2:54 pm

Couple of Thoughts....

(1) Are you attempting to connect to a server, from users within the SAME LAN, and using the WANIP address of the router?
If so thats a hairpin NAT scenario and you will need to make a few changes.

(2) If you have external users to your Servers, do you have a firewall address list of these users to narrow down who has access?
By adding this, it makes the server NOT visible on scans of your ports.

Note: There is no excuse not to use a firewall address list as folks that have a dynamic WANIP can easily get free dyndns URLS to use with their WANIP and thus give you the dyndns URL and the MT router will resolve them correctly.

+++++++++++++++++++++

(3). The full config is required not just a snippet (minus any public IP info of course), to make any assessment of your setup.
 
Tsatsralt
just joined
Topic Author
Posts: 6
Joined: Fri Jul 22, 2022 4:37 am

Re: Need help with port forwarding

Tue Jul 26, 2022 4:11 am

Hello.
I'm trying to give access to NVR to users who will use mobile client of the NVR(mostly will use mobile data).
I port forwarded 443 to public IP and can log in to NVR using mobile client. The problem is I can't watch video feed and playback recorded videos.
Also how can I get full config? As I mentioned before, I'm new to the Mikrotik.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Need help with port forwarding

Tue Jul 26, 2022 4:36 am

Hello.
I'm trying to give access to NVR to users who will use mobile client of the NVR(mostly will use mobile data).
I port forwarded 443 to public IP and can log in to NVR using mobile client. The problem is I can't watch video feed and playback recorded videos.
Also how can I get full config? As I mentioned before, I'm new to the Mikrotik.
In winbox go to New Terminal and at the command line type
/export hide-sensitive file=anynameyouwant

Then go to winbox files, find the file created download it to your computer and the open it in notepad ++.
ensure no public WANIP or gateway information is presented and then copy it and paste it into
a post here, and use the code quote brackets to encapsulate the paste so its short and presentable. ( next to the Bold Italics to the right, the black square with white square brackets )
 
Tsatsralt
just joined
Topic Author
Posts: 6
Joined: Fri Jul 22, 2022 4:37 am

Re: Need help with port forwarding

Tue Jul 26, 2022 11:29 am

Here is the config
# jul/26/2022 16:15:00 by RouterOS 6.49.5
# software id = Q7XR-8N6I
#
# model = RB4011iGS+
# serial number = D4440DFB53A7
/interface bridge
add name=bridge1
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip firewall layer7-protocol
add name=DENIED regexp="^.+(facebook.com|youtube).*\$"
/ip ipsec peer
add address=(IPsec peer network) name="to APU Logistic"
add address=(IPsec peer network) name="to Capital house"
add address=(IPsec peer network) name="to APU Dairy"
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 enc-algorithm=3des hash-algorithm=\
    md5 name="to APU Logistic"
add dh-group=modp1024 enc-algorithm=3des hash-algorithm=md5 name=\
    "to Capital house"
add dh-group=modp1024 enc-algorithm=3des hash-algorithm=md5 name=\
    "to APU Dairy"
add dh-group=modp1024 enc-algorithm=3des hash-algorithm=md5 name="to Tiger"
add dh-group=modp1024 enc-algorithm=3des hash-algorithm=md5 name=\
    "to Shukhlai"
/ip ipsec peer
add address=(IPsec peer network) name="To Tiger" profile="to Tiger"
add address=(IPsec peer network) name="To Shunkhlai" profile="to Shukhlai"
/ip ipsec proposal
set [ find default=yes ] disabled=yes
add auth-algorithms=md5 enc-algorithms=3des name="to APU Logistic"
add auth-algorithms=md5 enc-algorithms=3des name="to Capital house"
add auth-algorithms=md5 enc-algorithms=3des name="to APU Dairy"
add auth-algorithms=md5 enc-algorithms=3des name="to Tiger"
add auth-algorithms=md5 enc-algorithms=3des name="to Shukhlai"
/ip pool
add name=dhcp ranges=192.168.0.6-192.168.0.30
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge1 name=dhcp1
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface=ether10
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
/ip address
add address=(public IP)/29 interface=ether1 network=(Hidden)
add address=192.168.0.1/27 interface=bridge1 network=192.168.0.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=192.168.0.0/27 gateway=192.168.0.1 netmask=27
/ip dns
set servers=(DNS server 1),(DNS server 2)
/ip firewall address-list
add address=192.168.0.0/24 list=loc
add address=192.168.1.0/24 list=loc
add address=192.168.2.0/24 list=loc
add address=192.168.3.0/24 list=loc
add address=192.168.4.0/24 list=loc
add address=192.168.6.0/24 list=loc
/ip firewall filter
add action=accept chain=forward dst-address=192.168.0.30 dst-port=443 \
    in-interface=ether1 protocol=tcp
add action=accept chain=forward dst-address=192.168.0.30 dst-port=9100 \
    in-interface=ether1 protocol=tcp
add action=accept chain=forward dst-address=192.168.0.30 dst-port=37777 port=\
    "" protocol=tcp
add action=accept chain=forward dst-address=192.168.0.30 dst-port=37778 \
    protocol=udp
add action=accept chain=forward disabled=yes dst-address=192.168.0.30 \
    dst-port="" in-interface=ether1 protocol=tcp
add action=accept chain=forward dst-address-list=loc src-address-list=loc
/ip firewall nat
add action=accept chain=srcnat dst-address-list=loc src-address-list=loc
add action=masquerade chain=srcnat disabled=yes out-interface-list=WAN \
    src-address=192.168.0.30
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address=(Public IP address) dst-port=15455 \
    in-interface=ether1 protocol=tcp to-addresses=192.168.0.30 to-ports=443
add action=dst-nat chain=dstnat dst-address=(Public IP address) dst-port=9100 \
    in-interface=ether1 protocol=tcp to-addresses=192.168.0.30 to-ports=9100
add action=dst-nat chain=dstnat disabled=yes dst-address=(Public IP address) \
    dst-port=8080 in-interface=ether1 protocol=tcp to-addresses=192.168.0.30 \
    to-ports=80
add action=dst-nat chain=dstnat disabled=yes dst-address=(Public IP address) \
    dst-port=9090 in-interface=ether1 protocol=tcp to-addresses=192.168.0.30 \
    to-ports=9090
add action=dst-nat chain=dstnat disabled=yes dst-address=(Public IP address) \
    dst-port=9320-9322 in-interface=ether1 protocol=tcp to-addresses=\
    192.168.0.30 to-ports=9320-9322
add action=dst-nat chain=dstnat disabled=yes dst-address=(Public IP address) \
    dst-port=9010 in-interface=ether1 protocol=tcp to-addresses=192.168.0.30 \
    to-ports=9010
add action=dst-nat chain=dstnat disabled=yes dst-address=(Public IP address) \
    dst-port=9200 in-interface=ether1 protocol=tcp to-addresses=192.168.0.30 \
    to-ports=9200
add action=dst-nat chain=dstnat disabled=yes dst-address=(Public IP address) \
    dst-port=9600 in-interface=ether1 protocol=tcp to-addresses=192.168.0.30 \
    to-ports=9600
add action=dst-nat chain=dstnat disabled=yes dst-address=(Public IP address) \
    dst-port=8081-8082 in-interface=ether1 protocol=tcp to-addresses=\
    192.168.0.30 to-ports=8081-8082
add action=dst-nat chain=dstnat disabled=yes dst-address=(Public IP address) \
    dst-port=61616 in-interface=ether1 protocol=tcp to-addresses=192.168.0.30 \
    to-ports=61616
add action=dst-nat chain=dstnat disabled=yes dst-address=(Public IP address) \
    dst-port=20000-30000 in-interface=ether1 protocol=tcp to-addresses=\
    192.168.0.30 to-ports=20000-30000
add action=dst-nat chain=dstnat disabled=yes dst-address=(Public IP address) \
    dst-port=9000 in-interface=ether1 protocol=tcp to-addresses=192.168.0.30 \
    to-ports=9000
add action=dst-nat chain=dstnat disabled=yes dst-address=(Public IP address) \
    dst-port=5080 in-interface=ether1 protocol=udp to-addresses=192.168.0.30 \
    to-ports=5080
add action=dst-nat chain=dstnat dst-address=(Public IP address) dst-port=554 \
    in-interface=ether1 protocol=tcp to-addresses=192.168.0.30 to-ports=554
add action=dst-nat chain=dstnat disabled=yes dst-address=(Public IP address) \
    dst-port=40000-49999 protocol=tcp to-addresses=192.168.0.30 to-ports=\
    40000-49999
add action=dst-nat chain=dstnat disabled=yes dst-address=(Public IP address) \
    dst-port=1883 in-interface=ether1 protocol=tcp to-addresses=192.168.0.30 \
    to-ports=1883
add action=dst-nat chain=dstnat disabled=yes dst-address=(Public IP address) \
    dst-port=12366 in-interface=ether1 protocol=tcp to-addresses=192.168.0.30 \
    to-ports=12366
add action=dst-nat chain=dstnat disabled=yes dst-address=(Public IP address) \
    dst-port=6379 in-interface=ether1 protocol=tcp to-addresses=192.168.0.30 \
    to-ports=6379
add action=dst-nat chain=dstnat disabled=yes dst-address=(Public IP address) \
    dst-port=9400 in-interface=ether1 protocol=tcp to-addresses=192.168.0.30 \
    to-ports=9400
add action=dst-nat chain=dstnat disabled=yes dst-address=(Public IP address) \
    dst-port=9550 in-interface=ether1 protocol=tcp to-addresses=192.168.0.30 \
    to-ports=9550
add action=dst-nat chain=dstnat disabled=yes dst-address=(Public IP address) \
    dst-port=5060 in-interface=ether1 protocol=tcp to-addresses=192.168.0.30 \
    to-ports=5060
add action=dst-nat chain=dstnat disabled=yes dst-address=(Public IP address) \
    dst-port=5672 in-interface=ether1 protocol=tcp to-addresses=192.168.0.30 \
    to-ports=5672
add action=dst-nat chain=dstnat disabled=yes dst-address=(Public IP address) \
    dst-port=61613 in-interface=ether1 protocol=tcp to-addresses=192.168.0.30 \
    to-ports=61613
add action=dst-nat chain=dstnat disabled=yes dst-address=(Public IP address) \
    dst-port=8161 in-interface=ether1 protocol=tcp to-addresses=192.168.0.30 \
    to-ports=8161
add action=dst-nat chain=dstnat disabled=yes dst-address=(Public IP address) \
    dst-port=8080 in-interface=ether1 protocol=tcp to-addresses=192.168.0.30 \
    to-ports=8080
add action=dst-nat chain=dstnat disabled=yes dst-address=(Public IP address) \
    dst-port=9500 in-interface=ether1 protocol=tcp to-addresses=192.168.0.30 \
    to-ports=9500
add action=dst-nat chain=dstnat disabled=yes dst-address=(Public IP address) \
    dst-port=9900-9901 in-interface=ether1 protocol=tcp to-addresses=\
    192.168.0.30 to-ports=9900-9901
add action=dst-nat chain=dstnat disabled=yes dst-address=(Public IP address) \
    dst-port=36962 in-interface=ether1 protocol=tcp to-addresses=192.168.0.30
add action=dst-nat chain=dstnat disabled=yes dst-address=(Public IP address) \
    dst-port=61001-65000 in-interface=ether1 protocol=tcp to-addresses=\
    192.168.0.30 to-ports=61001-65000
add action=dst-nat chain=dstnat disabled=yes dst-address=(Public IP address) \
    to-addresses=192.168.0.30
add action=src-nat chain=srcnat disabled=yes src-address=192.168.0.30 \
    to-addresses=(Public IP address)
add action=dst-nat chain=dstnat dst-address=(Public IP address) dst-port=37777 \
    in-interface=ether1 protocol=tcp to-addresses=192.168.0.30 to-ports=37777
add action=dst-nat chain=dstnat dst-address=(Public IP address) dst-port=37778 \
    in-interface=ether1 protocol=udp to-addresses=192.168.0.30 to-ports=37778
/ip ipsec identity
add peer="to APU Logistic"
add peer="to Capital house"
# Suggestion to use stronger pre-shared key or different authentication method
add peer="to APU Dairy"
# Suggestion to use stronger pre-shared key or different authentication method
add peer="To Tiger"
add peer="To Shunkhlai"
/ip ipsec policy
set 0 disabled=yes
add dst-address=192.168.0.160/27 peer="To Shunkhlai" proposal="to Shukhlai" \
    src-address=192.168.0.0/27 tunnel=yes
add comment="APU Logistic" dst-address=192.168.0.96/27 peer="to APU Logistic" \
    proposal="to APU Logistic" src-address=192.168.0.0/27 tunnel=yes
add comment="Capital house" dst-address=192.168.0.32/27 peer=\
    "to Capital house" proposal="to Capital house" src-address=192.168.0.0/27 \
    tunnel=yes
add comment="APU Dairy" dst-address=192.168.0.64/27 peer="to APU Dairy" \
    proposal="to APU Dairy" src-address=192.168.0.0/27 tunnel=yes
add comment="APU Dairy" dst-address=192.168.0.128/27 peer="To Tiger" \
    proposal="to Tiger" src-address=192.168.0.0/27 tunnel=yes
/ip route
add distance=1 gateway=(Gateway)
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Asia/Ulaanbaatar
/system identity
set name="PSG ShUT"
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Need help with port forwarding

Tue Jul 26, 2022 3:53 pm

(1) This seems rather odd, (27 vice 24) but assuming you know what you are doing.
/ip dhcp-server network
add address=192.168.0.0/27 gateway=192.168.0.1 netmask=27

(2) Also no idea what you are doing within ipsec policy.......

(3) What is weird is a ref to local for IP addresses that seem to have no attachment to anything.......
/ip firewall address-list
add address=192.168.0.0/24 list=loc
add address=192.168.1.0/24 list=loc
add address=192.168.2.0/24 list=loc
add address=192.168.3.0/24 list=loc
add address=192.168.4.0/24 list=loc
add address=192.168.6.0/24 list=loc


They are noted in this rule.......... which makes no sense either ???
add action=accept chain=forward dst-address-list=loc src-address-list=loc

and noted again here........ very confusingl.
/ip firewall nat
add action=accept chain=srcnat dst-address-list=loc src-address-list=loc


(4) Is this router facing a public IP address aka the internet, if so the rules are missing many needed things and you should NOT have this plugged into the internet until fixed.

(5) WHy do you have port forwarding (dst-nat rules) in the FORWARD CHAIN??
You only need on rule in the forward chain to permit port forwarding in general.

/ip firewall filter
add action=accept chain=forward dst-address=192.168.0.30 dst-port=443 \
in-interface=ether1 protocol=tcp
add action=accept chain=forward dst-address=192.168.0.30 dst-port=9100 \
in-interface=ether1 protocol=tcp
add action=accept chain=forward dst-address=192.168.0.30 dst-port=37777 port=\
"" protocol=tcp
add action=accept chain=forward dst-address=192.168.0.30 dst-port=37778 \
protocol=udp
add action=accept chain=forward disabled=yes dst-address=192.168.0.30 \
dst-port="" in-interface=ether1 protocol=tcp
add action=accept chain=forward dst-address-list=loc src-address-list=loc


/ip firewall nat
add action=accept chain=srcnat dst-address-list=loc src-address-list=loc
add action=masquerade chain=srcnat disabled=yes out-interface-list=WAN \
src-address=192.168.0.30
add action=masquerade chain=srcnat out-interface-list=WAN

(6) Format for port forwarding is incorrect,
add action=dst-nat chain=dstnat dst-address=(Public IP address) dst-port=15455 \
in-interface=ether1 protocol=tcp to-addresses=192.168.0.30 to-ports=443


Basically if you have a fixed WANIP aka static, then this works
add action=dst-nat chain=dstnat dst-address=(Public IP address) dst-port=15455 \
protocol=tcp to-addresses=192.168.0.30 to-ports=443


If you have a dynamic WANIP, the this is typical
add action=dst-nat chain=dstnat in-interface=ether1 dst-port=15455 \
protocol=tcp to-addresses=192.168.0.30 to-ports=443
 
Tsatsralt
just joined
Topic Author
Posts: 6
Joined: Fri Jul 22, 2022 4:37 am

Re: Need help with port forwarding

Wed Jul 27, 2022 4:19 am

Hello

From 1 to 3 and 5, we connected few sites to main site using ISP's tunnel and ISP's engineer helped to connect these branch sites. I didn't do the config at that time.

As for the number 4, yes this is internet facing router. If you have an suggestion please tell me? I really appreciate your support.

Also I deleted those Firewall filters which addressed to 192.168.0.30

6, I tried few thing when we faced an problem on NVR. I'll fix the structure.

Thank you.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Need help with port forwarding

Wed Jul 27, 2022 3:55 pm

Advice for firewall rules........
viewtopic.php?t=180838

Advice for port forwarding.......
viewtopic.php?t=179343
 
Tsatsralt
just joined
Topic Author
Posts: 6
Joined: Fri Jul 22, 2022 4:37 am

Re: Need help with port forwarding

Thu Jul 28, 2022 5:26 am

@anav
Thank you go the advice.

I followed the port forwarding topic and configured Filter and NAT rules. Cleaned up an unnecessary rules.
Even though I followed the topic, I might have made some mistake or something because I still can't see the video feed.
Could you look at config, please?
# jul/28/2022 10:07:52 by RouterOS 6.49.5
# software id = Q7XR-8N6I
#
# model = RB4011iGS+
# serial number = D4440DFB53A7
/interface bridge
add name=bridge1
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip firewall layer7-protocol
add name=DENIED regexp="^.+(facebook.com|youtube).*\$"
/ip ipsec peer
add address=(IP-sec peer IP) name="to APU Logistic"
add address=(IP-sec peer IP) name="to Capital house"
add address=(IP-sec peer IP) name="to APU Dairy"
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 enc-algorithm=3des hash-algorithm=\
    md5 name="to APU Logistic"
add dh-group=modp1024 enc-algorithm=3des hash-algorithm=md5 name=\
    "to Capital house"
add dh-group=modp1024 enc-algorithm=3des hash-algorithm=md5 name=\
    "to APU Dairy"
add dh-group=modp1024 enc-algorithm=3des hash-algorithm=md5 name="to Tiger"
add dh-group=modp1024 enc-algorithm=3des hash-algorithm=md5 name=\
    "to Shukhlai"
/ip ipsec peer
add address=(IP-sec peer IP) name="To Tiger" profile="to Tiger"
add address=(IP-sec peer IP) name="To Shunkhlai" profile="to Shukhlai"
/ip ipsec proposal
set [ find default=yes ] disabled=yes
add auth-algorithms=md5 enc-algorithms=3des name="to APU Logistic"
add auth-algorithms=md5 enc-algorithms=3des name="to Capital house"
add auth-algorithms=md5 enc-algorithms=3des name="to APU Dairy"
add auth-algorithms=md5 enc-algorithms=3des name="to Tiger"
add auth-algorithms=md5 enc-algorithms=3des name="to Shukhlai"
/ip pool
add name=dhcp ranges=192.168.0.6-192.168.0.30
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge1 name=dhcp1
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface=ether10
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
/ip address
add address=(Public IP address) interface=ether1 network=(Network IP)
add address=192.168.0.1/27 interface=bridge1 network=192.168.0.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=192.168.0.0/27 gateway=192.168.0.1 netmask=27
/ip dns
set servers=202.131.224.2,202.131.232.4
/ip firewall address-list
add address=192.168.0.0/24 list=loc
add address=192.168.1.0/24 list=loc
add address=192.168.2.0/24 list=loc
add address=192.168.3.0/24 list=loc
add address=192.168.4.0/24 list=loc
add address=192.168.6.0/24 list=loc
/ip firewall filter
add action=accept chain=forward connection-nat-state=dstnat
add action=accept chain=forward dst-address-list=loc src-address-list=loc
/ip firewall nat
add action=src-nat chain=srcnat out-interface=ether1 to-addresses=\
    (Public IP address)
add action=dst-nat chain=dstnat dst-address=(Public IP address) dst-port=15455 \
    protocol=tcp to-addresses=192.168.0.30 to-ports=443
add action=dst-nat chain=dstnat dst-address=(Public IP address) dst-port=9100 \
    protocol=tcp to-addresses=192.168.0.30 to-ports=9100
add action=dst-nat chain=dstnat dst-address=(Public IP address) dst-port=16544 \
    protocol=tcp to-addresses=192.168.0.11 to-ports=3389
add action=accept chain=srcnat dst-address-list=loc src-address-list=loc
add action=masquerade chain=srcnat out-interface-list=WAN
/ip ipsec identity
add peer="to APU Logistic"
add peer="to Capital house"
# Suggestion to use stronger pre-shared key or different authentication method
add peer="to APU Dairy"
# Suggestion to use stronger pre-shared key or different authentication method
add peer="To Tiger"
add peer="To Shunkhlai"
/ip ipsec policy
set 0 disabled=yes
add dst-address=192.168.0.160/27 peer="To Shunkhlai" proposal="to Shukhlai" \
    src-address=192.168.0.0/27 tunnel=yes
add comment="APU Logistic" dst-address=192.168.0.96/27 peer="to APU Logistic" \
    proposal="to APU Logistic" src-address=192.168.0.0/27 tunnel=yes
add comment="Capital house" dst-address=192.168.0.32/27 peer=\
    "to Capital house" proposal="to Capital house" src-address=192.168.0.0/27 \
    tunnel=yes
add comment="APU Dairy" dst-address=192.168.0.64/27 peer="to APU Dairy" \
    proposal="to APU Dairy" src-address=192.168.0.0/27 tunnel=yes
add comment="APU Dairy" dst-address=192.168.0.128/27 peer="To Tiger" \
    proposal="to Tiger" src-address=192.168.0.0/27 tunnel=yes
/ip route
add distance=1 gateway=(Gateway address)
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Asia/Ulaanbaatar
/system identity
set name="PSG ShUT"
From what I roughly understand is I can log into the NVR from internet. When I try to watch video feed, client program (NVR's) says "server connection failed", so there must be some miscommunication thing is going on like NVR sends packet to client but client can't recognize the source address.... maybe.

Thanks again :D
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Need help with port forwarding

Thu Jul 28, 2022 3:21 pm

Nothing springs out at the moment......
But lets look at your sourcenat rules
/ip firewall nat
add action=src-nat chain=srcnat out-interface=ether1 to-addresses=\
(Public IP address)
add action=dst-nat chain=dstnat dst-address=(Public IP address) dst-port=15455 \
protocol=tcp to-addresses=192.168.0.30 to-ports=443
add action=dst-nat chain=dstnat dst-address=(Public IP address) dst-port=9100 \
protocol=tcp to-addresses=192.168.0.30 to-ports=9100
add action=dst-nat chain=dstnat dst-address=(Public IP address) dst-port=16544 \
protocol=tcp to-addresses=192.168.0.11 to-ports=3389
add action=accept chain=srcnat dst-address-list=loc src-address-list=loc
add action=masquerade chain=srcnat out-interface-list=WAN


The last rule is NOT required, the destination-nat rules seem correct, and the sourcenat rule using firewall address lists makes no sense to me,...

Try this........ (remove the last two rules).
/ip firewall nat
add action=src-nat chain=srcnat out-interface=ether1 to-addresses=\
(Public IP address)
add action=dst-nat chain=dstnat dst-address=(Public IP address) dst-port=15455 \
protocol=tcp to-addresses=192.168.0.30 to-ports=443
add action=dst-nat chain=dstnat dst-address=(Public IP address) dst-port=9100 \
protocol=tcp to-addresses=192.168.0.30 to-ports=9100
add action=dst-nat chain=dstnat dst-address=(Public IP address) dst-port=16544 \
protocol=tcp to-addresses=192.168.0.11 to-ports=3389


If you are attempting to access the NVR from within the server, you would be running into loop back and would need this additional rule.
add chain=srcnat action=masquerade dst-address=192.168.0.0/27 src-address=192.168.0.0/27

Who is online

Users browsing this forum: andrep, boocko, Google Adsense [Bot], mtkvvv and 49 guests