Port Forwarding Issue

pcarlo71 · Sun Oct 30, 2016 10:49 pm

I have a Comcast gateway which is setup as "true bridge". I have been trying to access my ip camera from outside for months now. I have no luck with port forwarding and needs help badly.
My camera has been assigned with port 8150. I added a static ip for 192.168.88.241. I think I setup my port forwarding correctly but using http://www.canyouseeme.org/, it says the port refused connection. I can access my camera locally but not from the internet. Thanks everyone for your help.

Main Configuration

online photo storage

IP routes

free photo hosting

Static Setup

hosting image

Port Forwarding Setup

print screen windows xp

Filter Rules

adult image

JB172 · Mon Oct 31, 2016 12:41 pm

In IP->Firewall->NAT check your rule. Should must be:

In "Chain" put dstnat
In "Dst. Address" put your public IP of the router
In "Protocol" put tcp
In "Dst. Port" put the port (ie 8150)

In "Action" put dst-nat
In "To Addresses" put the ip of your IP Camera (ie 192.168.88.241)
In "To Ports" put the port (ie 8150)

pcarlo71 · Wed Nov 02, 2016 11:13 am

Thanks. However, it still doesn't work. I read the user's guide of my IP camera and it says, for browser access to the camera you need to forward public TCP port 8150 to internal port (base port) 80.

actrn · Wed Nov 02, 2016 11:25 am

simply add dst-nat TCP dst-port (port of the camera) to address (ip camera ) (camera port )

try without IP address in dst-address first

when it work, add public IP ( if connect over static IP ) or router IP in dst-address

JB172 · Wed Nov 02, 2016 11:51 am

Thanks. However, it still doesn't work. I read the user's guide of my IP camera and it says, for browser access to the camera you need to forward public TCP port 8150 to internal port (base port) 80.

In "To Ports" put the port (ie 80)

yerzhl · Thu Nov 03, 2016 11:28 am

Last possibility is the port you use is blocked by your isp. Some isp may block a range of port to prevent their customer for making private server.

I also had issue with port forwarding about my cctv dvr.
If the dvr/cctv connected through a router then to mikrotik, just make sure that you also open the port on the router.
Or if you have some additional firewall rules, try to disable them and move this port forward rule to top off-course after the dummy rules (if exist).

My advice is try to use other port like 8XXX or 9XXX instead of 80

pcarlo71 · Sat Nov 05, 2016 3:48 am

Port forwarding works fine in my previous router (Linksys). I don't think it's blocked by my ISP. Is there way to know if the port is being blocked (port 8150) by the router? How do I open the port 8150 in the router? Sorry for the many questions. Unfortunately, it still doesn't work. I can see packets.

VladimirBykov · Mon Nov 07, 2016 12:24 pm

There is someone from support? I have the same problem.
Moreover, sometimes my router forwards packets, but always only on IP .211. Even when I put another address in fied "ToAddress".

The simple task and can't be solved more than 5 days.

janus20 · Mon Nov 07, 2016 2:00 pm

Hi pcarlo71,

In my humble opinion you should put in FILTER rules, before rule nr. 6, a rule to accept connections for port 8150:

IP -> FIREWALL -> FILTER
1. In GENERAL Tab, click "+", for add new rule
2. select CHAIN = input
3. select PROTOCOL = (6) tcp
4. select destination port = Dst. Port [] 8150
5. In ACTION Tab, select accept from ACTION drop down list
6. /* optional */ you may check "Log" and in Log Prefix field write: mycam, if you want to see it in log menu or via torch
or

/ip firewall filter
add action=accept chain=input comment="Accept connections from outside to inside port 8150" dst-port=8150 log=yes log-prefix=mycam protocol=tcp

Does make any difference ?
kind regards,

Rudios · Mon Nov 07, 2016 2:29 pm

Hi pcarlo71,

In my humble opinion you should put in FILTER rules, before rule nr. 6, a rule to accept connections for port 8150:

IP -> FIREWALL -> FILTER
1. In GENERAL Tab, click "+", for add new rule
2. select CHAIN = input
3. select PROTOCOL = (6) tcp
4. select destination port = Dst. Port [] 8150
5. In ACTION Tab, select accept from ACTION drop down list
6. /* optional */ you may check "Log" and in Log Prefix field write: mycam, if you want to see it in log menu or via torch
or
Code: Select all
/ip firewall filter
add action=accept chain=input comment="Accept connections from outside to inside port 8150" dst-port=8150 log=yes log-prefix=mycam protocol=tcp
Does make any difference ?
kind regards,

If firewall filter rules need to be added, the dst-port should be 80 (when NAT is translated to it) and for more strict allowance add dst-address to whti 192.168.88.241
And this should be in the forward chain!

janus20 · Mon Nov 07, 2016 3:25 pm

Hi,

In his latest post he said:

How do I open the port 8150 in the router? Sorry for the many questions. Unfortunately, it still doesn't work. I can see packets.

I am a beginner into mikrotik routers myself so that please forgive me but I still think that proper chain commands here would be ( it is just a basic port forwarding, after all):
1. accepting conections from WAN ( in-interface=ether1-gateway ), on proto tcp (protocol=tcp), for destination port 8150 (dst-port=8150), in the first place

/ip firewall filter
add action=accept chain=input comment="Accept connections from outside to inside port 8150" dst-port=8150 in-interface=ether1-gateway log=yes log-prefix=mycam protocol=tcp

2. forwarding conections on WAN ( in-interface=ether1-gateway ), on proto tcp (protocol=tcp), for destination port 8150 (dst-port=8150) to LAN destination adress 192.168.88.241 ( to-addresses=192.168.88.241 ), for destination port 80 (to-ports=80)

/ip firewall nat
add action=dst-nat chain=dstnat comment="Access my camera on web" dst-port=8150 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.88.241 to-ports=80

kind regards

Rudios · Mon Nov 07, 2016 4:42 pm

Input chain is used when traffic is destined for the router itself
forward chain is used when traffic is destined for a client and router used to forward the traffic towards it.

Then comes the NAT-ting part.

Look at http://wiki.mikrotik.com/wiki/Manual:Packet_Flow_v6 and there you will come to the conclusion that when a packet is initially send to the router, during pre-routing the dst-nat actions are handled. That will mean that after dst-nat actions (translations) are done, the destination address of the packets are changed from the original IP held by the router to the real destionation (eg translated from a public IP 217.65.98.3 to 192.168.88.5).
Then comes the routing decision and since the destination address is 192.168.88.5 after dst-nat the actual destination is not the router itself anymore and therefor the filter is should be handled in the forward chain.
Same applies for the dst-port. During dst-nat (in pre-routing) the dst-port is changed from 8150 to 80, and therefor the filter rule should be mathcing the dst-port 80.

janus20 · Mon Nov 07, 2016 6:26 pm

Hi rudios,

I see, it makes a lot of sense now. Thank you very much for your explications.

kind regards

pcarlo71 · Tue Nov 08, 2016 1:44 pm

Thanks everyone for helping me out. It still a no go. Here are my settings

IP->Firewall->Rules

chain = forward
protocol = tcp
dst port = 80
in. interface = either1-gateway
action = accept

IP->Firewall->NAT

chain = dstnat
protocol = tcp
dst port = 8150
in. interface = either1-gateway
action = dstnat
to address = 192.168.88.241 (local camera ip)
to ports = 80

I even disabled all filter rules and fort forwarding still doesn't work. I forgot to mention that my ip camera has a built-in web server (thus the port 80). When I access the camera from a browser using 69.140.252.50:8150, the page loads very quickly with a message that it refused to connect. When I access 69.140.252.50:80, it goes straight to my router login page.

Rudios · Tue Nov 08, 2016 2:30 pm

When you are connected to your internal network, how do you access your camera?
By using port 80 or 8150?

<edit>
Since you have supplied your public IP in your previous post I just gave it a try and when I go to port 8150 I end up seeing some "Shark Security" login page for a camera, so in my perspective it works!

I now assume you are trying to connect to your camera via your public IP, while you are inside your own local network.
If that is the case, you will need an additional NAT rule, according to this principle (http://wiki.mikrotik.com/wiki/Hairpin_NAT)
your rule should look like

/ip firewall nat
add chain=srcnat action=masquerade src-address=192.168.88.0/24 dst-address=192.168.88.241 out-interface=<your local network bridge/master port>

mpreissner · Tue Nov 08, 2016 2:45 pm

So here's the thing to remember:

RouterOS process NAT rules before it does Filter rules, so an Accept rule on the input chain will never get hit if you're NATing the traffic. If you want to forward external port 8150 to port 80 on your camera, you need to do 2 things: 1) add the appropriate dst-nat rule, and 2) assuming you have a "Drop All" rule at the bottom of every Filter chain (which you should for security reasons), you need to add an Accept rule to the forward chain. Given the information you've provided, those rules should look like this:

/ip firewall nat add chain=dstnat in-interface=ether1-gateway protocol=tcp dst-port=8150 to-addresses=192.168.88.241 to-port=80 action=dst-nat

/ip firewall filter add chain=forward in-interface=ether1-gateway protocol=tcp dst-address=192.168.88.241 dst-port=80 action=accept

You'll need to make sure those rules are high enough in the table that they are matched before any more permissive rules. Firewall rules are processed from the top-down, and best practice is to put the most restrictive and most frequently matched rules closer to the top. If these rules don't get it working for you, you'll need to post an export of your entire config, as something else must be interfering.

Rudios · Tue Nov 08, 2016 3:31 pm

So here's the thing to remember:

RouterOS process NAT rules before it does Filter rules, so an Accept rule on the input chain will never get hit if you're NATing the traffic.
[...].

If referring to dst-nat you are right, dst-nat is handled in pre-routing (before routing decisions are made)
Based on routing decisions, the input or forward chain will be handled with their respective firewall filter.
After that, during post-routing, any applicable src-nat rules will be carried out.

pcarlo71 · Tue Nov 08, 2016 5:25 pm

Hi rudios,

Thank you so much for your help. I was trying to access it from within my local network. I tried accessing it from outside and it works. I'm using a Shark Security IP camera but will be upgrading to another brand this month. I learned a lot from all these postings. Again, thanks a lot.

VladimirBykov · Fri Nov 11, 2016 8:06 am

Hi, pcarlo71.

You said that you have forwarding works.
But what did you do? Unfortunately, I failed to get results on my router.

lucasrabelo · Wed Jul 19, 2017 9:03 pm

Is is solved? If not change the forward rules o Any Port

Port Forwarding Issue

Port Forwarding Issue

Re: Port Forwarding Issue

Re: Port Forwarding Issue

Re: Port Forwarding Issue

Re: Port Forwarding Issue

Re: Port Forwarding Issue

Re: Port Forwarding Issue

Re: Port Forwarding Issue

Re: Port Forwarding Issue

Re: Port Forwarding Issue

Re: Port Forwarding Issue

Re: Port Forwarding Issue

Re: Port Forwarding Issue

Re: Port Forwarding Issue

Re: Port Forwarding Issue

Re: Port Forwarding Issue

Re: Port Forwarding Issue

Re: Port Forwarding Issue

Re: Port Forwarding Issue

Re: Port Forwarding Issue