Good day,

I've configured my routerOs 5.2 to do some simple port forwarding using the following command:

/ip firewall nat add action=dst-nat chain=dstnat dst-address=10.10.1.12 dst-port=8080 protocol=tcp to-addresses=192.168.88.200 to-ports=8080

This has worked fine (I can connect externally and internally) for two different devices a camera and a PC. A third device (a pan tilt unit) configured the same way does not work externally, but I can connect fine internally.

I have tested this setup on another router (D-Link), and do not have the same problems.

Looking for any assistance possible, and will gladly supply pertinent information as requested.

Mike
Ottawa, Ont

Thanks so much for your time.
Mike

Protocol tcp only?

Strange, normally video uses UDP as main stream.

I am also port forwarding UDP as well.

Thanks for the reply.

Please provide the following:

/ip address print detail
/ip route print detail
/ip firewall export

That will enable us to look and see what is going on.

Please provide the following:

/ip address print detail
/ip route print detail
/ip firewall export

That will enable us to look and see what is going on.

I've done a system reset and added only the port forwarding rule that is not working, in order to simplify troubleshooting. Thanks so much for any help provided.

[admin@MikroTik] > /ip address print detail
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; default configuration
address=192.168.88.1/24 network=192.168.88.0 interface=ether2-local
actual-interface=bridge

1 D address=10.10.1.12/16 network=10.10.0.0 interface=ether1-gateway
actual-interface=ether1-gateway



[admin@MikroTik] > ip route print detail
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
0 ADS dst-address=0.0.0.0/0 gateway=10.10.0.1
gateway-status=10.10.0.1 reachable ether1-gateway distance=1 scope=30
target-scope=10 vrf-interface=ether1-gateway

1 ADC dst-address=10.10.0.0/16 pref-src=10.10.1.12 gateway=ether1-gateway
gateway-status=ether1-gateway reachable distance=0 scope=10

2 ADC dst-address=192.168.88.0/24 pref-src=192.168.88.1 gateway=bridge
gateway-status=bridge reachable distance=0 scope=10



[admin@MikroTik] > ip firewall export
# jan/02/1970 00:04:35 by RouterOS 5.2
# software id = QBA6-8HEQ
#
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
tcp-close-wait-timeout=10s tcp-established-timeout=1d \
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=input comment="default configuration" disabled=no \
protocol=icmp
add action=accept chain=input comment="default configuration" \
connection-state=established disabled=no in-interface=ether1-gateway
add action=accept chain=input comment="default configuration" \
connection-state=related disabled=no in-interface=ether1-gateway
add action=drop chain=input comment="default configuration" disabled=no \
in-interface=ether1-gateway
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" disabled=\
no out-interface=ether1-gateway
add action=dst-nat chain=dstnat disabled=no dst-port=8080 protocol=tcp \
to-addresses=192.168.88.253 to-ports=8080
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no
[admin@MikroTik] >

Well you're not narrowing down the NAT rule enough is likely the cause of the problem. The way it reads is any tcp traffic going to port 8080 redirect to 192.168.88.253. This would include return traffic coming into the LAN, if your server is replying back to port 8080 this will cause an issue. I would recommend narrowing it down by either specifying the public IP you want to have forwarded as the dst-address, or the in-interface of the WAN port.

Not only is order of rules very important in a firewall, but also how narrow or specific they are. You don't want to make them so general that it catches more than what you want, but at the same time you don't want them to be too specific so you miss what you want.

I would recommend narrowing it down by either specifying the public IP you want to have forwarded as the dst-address, or the in-interface of the WAN port.

That is correct,

and also check manual for that camera, i had problems with video for ip cameras, with web port many cameras using RTSP, in my case i needed to port forward web port + RTSP port to get camera working from outside the LAN

Well you're not narrowing down the NAT rule enough is likely the cause of the problem. The way it reads is any tcp traffic going to port 8080 redirect to 192.168.88.253. This would include return traffic coming into the LAN, if your server is replying back to port 8080 this will cause an issue. I would recommend narrowing it down by either specifying the public IP you want to have forwarded as the dst-address, or the in-interface of the WAN port.

Not only is order of rules very important in a firewall, but also how narrow or specific they are. You don't want to make them so general that it catches more than what you want, but at the same time you don't want them to be too specific so you miss what you want.

Thanks for your reply.

I had specified a public ip previously, and it still didn't work.

However I will do that again, as what you said makes sense regardless.

I'll report back whether or not it helps.

I would recommend narrowing it down by either specifying the public IP you want to have forwarded as the dst-address, or the in-interface of the WAN port.

That is correct,

and also check manual for that camera, i had problems with video for ip cameras, with web port many cameras using RTSP, in my case i needed to port forward web port + RTSP port to get camera working from outside the LAN

The network camera, when port forwarded works fine, the issue is with a Pan Tilt Unit (PTU).

Thank you for taking time to help.

Well you're not narrowing down the NAT rule enough is likely the cause of the problem. The way it reads is any tcp traffic going to port 8080 redirect to 192.168.88.253. This would include return traffic coming into the LAN, if your server is replying back to port 8080 this will cause an issue. I would recommend narrowing it down by either specifying the public IP you want to have forwarded as the dst-address, or the in-interface of the WAN port.

Not only is order of rules very important in a firewall, but also how narrow or specific they are. You don't want to make them so general that it catches more than what you want, but at the same time you don't want them to be too specific so you miss what you want.

Here's a print out after my revised nat rule:

[admin@MikroTik] > ip address print detail
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; default configuration
address=192.168.88.1/24 network=192.168.88.0 interface=ether2-local
actual-interface=bridge

1 D address=10.10.1.12/16 network=10.10.0.0 interface=ether1-gateway
actual-interface=ether1-gateway



[admin@MikroTik] > ip route print detail
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
0 ADS dst-address=0.0.0.0/0 gateway=10.10.0.1
gateway-status=10.10.0.1 reachable ether1-gateway distance=1 scope=30
target-scope=10 vrf-interface=ether1-gateway

1 ADC dst-address=10.10.0.0/16 pref-src=10.10.1.12 gateway=ether1-gateway
gateway-status=ether1-gateway reachable distance=0 scope=10

2 ADC dst-address=192.168.88.0/24 pref-src=192.168.88.1 gateway=bridge
gateway-status=bridge reachable distance=0 scope=10



[admin@MikroTik] > ip firewall export
# jan/02/1970 00:08:11 by RouterOS 5.2
# software id = QBA6-8HEQ
#
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
tcp-close-wait-timeout=10s tcp-established-timeout=1d \
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=input comment="default configuration" disabled=no \
protocol=icmp
add action=accept chain=input comment="default configuration" \
connection-state=established disabled=no in-interface=ether1-gateway
add action=accept chain=input comment="default configuration" \
connection-state=related disabled=no in-interface=ether1-gateway
add action=drop chain=input comment="default configuration" disabled=no \
in-interface=ether1-gateway
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" disabled=\
no out-interface=ether1-gateway
add action=dst-nat chain=dstnat disabled=no dst-address=10.10.1.12 dst-port=\
8080 protocol=tcp to-addresses=192.168.88.250 to-ports=8080
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no
[admin@MikroTik] >

Maybe if I mention this is going on a Lunar Rover prototype I'll get more help

But seriously, I'm stuck and would welcome any help.

Thank you!

If it's still not working, do you see the NAT rule incrementing? If so, I would recommend running Torch on the LAN interface (built in tool of the MikroTik) pointed at the IP address of the camera to see what it is doing traffic wise. That will tell you if it's doing more than just port 8080.

If it's still not working, do you see the NAT rule incrementing? If so, I would recommend running Torch on the LAN interface (built in tool of the MikroTik) pointed at the IP address of the camera to see what it is doing traffic wise. That will tell you if it's doing more than just port 8080.

I do indeed see the NAT rule incrementing.

I will see if I can find out more information using Torch.

Thanks so much for your help.

If it's still not working, do you see the NAT rule incrementing? If so, I would recommend running Torch on the LAN interface (built in tool of the MikroTik) pointed at the IP address of the camera to see what it is doing traffic wise. That will tell you if it's doing more than just port 8080.

It is only using port 8080.

Is there another way to forward data to my Pan Tilt Unit? A different set of rules to get the data there?

Also $20 CND to anyone who solves my problem (to buy themselves a really damn good beer, or lots of crappy beer).


Thanks!

What do you see in torch? Do you just see tx, or do you see tx and rx? If you only seeing tx being reported, then the traffic is never getting back to the router to process it. Check the default gateway on the camera in that case.

What do you see in torch? Do you just see tx, or do you see tx and rx? If you only seeing tx being reported, then the traffic is never getting back to the router to process it. Check the default gateway on the camera in that case.

Feklar, you sir have earned yourself a beverage. Please pm me your email so I can paypal you your $20 beverage bounty.

The PTU was not getting the correct gateway for some reason. Manually setting it resolved the issue.

Thank you very much!

I'm glad that we got it working. There are no PMs on the forum, karma though is appreciated.