MikroTik

Community discussions
https://forum.mikrotik.com/

cannot access ip-camera from the outside

https://forum.mikrotik.com/viewtopic.php?t=82916

Page 1 of 1

cannot access ip-camera from the outside

Posted: Thu Mar 13, 2014 7:49 pm
by Norman29
I can access almost everything from the outside.
The only thing i can not access is my ip-camera??
I narrowed it down to one rule that is causing the problem:
Code: Select all
/ip firewall filter
add action=drop chain=forward comment=\ "Drop all other traffic through the router" \ disabled=no
If i enable this rule i cannot access the camera, if i disable this rule the camera can be viewed.
But then i get all sorts of other unwanted traffic. So i want that rule enabled.

I tried it with adding a nat rule (which is the "solution" you'll find all over the internet):
Code: Select all
/ip firewall nat
add action=dst-nat chain=dstnat disabled=no dst-address=86.86.86.860 dst-port=6080 protocol=tcp to-addresses=192.168.0.5 to-ports=6080
I can see that traffic is generated because the counter is running as soon as i start the camera, but there's no connection to the camera.

How can i get this cam working with the forward chain rule still active?

Re: cannot access ip-camera from the outside

Posted: Thu Mar 13, 2014 7:57 pm
by rextended
Enter inside the config of camera and read ALL ports the camera use.
Both TCP and UDP

In Firewall / Connection tracking use filter to see only the ip of your camera and see what port and protocol it use for working.

Create firewall rules accordingly

Re: cannot access ip-camera from the outside

Posted: Thu Mar 13, 2014 8:31 pm
by efaden
I can access almost everything from the outside.
The only thing i can not access is my ip-camera??
I narrowed it down to one rule that is causing the problem:
Code: Select all
/ip firewall filter
add action=drop chain=forward comment=\ "Drop all other traffic through the router" \ disabled=no
If i enable this rule i cannot access the camera, if i disable this rule the camera can be viewed.
But then i get all sorts of other unwanted traffic. So i want that rule enabled.

I tried it with adding a nat rule (which is the "solution" you'll find all over the internet):
Code: Select all
/ip firewall nat
add action=dst-nat chain=dstnat disabled=no dst-address=86.86.86.860 dst-port=6080 protocol=tcp to-addresses=192.168.0.5 to-ports=6080
I can see that traffic is generated because the counter is running as soon as i start the camera, but there's no connection to the camera.

How can i get this cam working with the forward chain rule still active?
The DST-NAT rule only changes the incoming packet. If you have a default drop in the forward you need a rule above it to allow that incoming request..

you'll want something like:

ros code

/ip firewall filter
add chain=forward dst-address=192.168.0.5 protocol=tcp port=6080
That will actually allow the request...

Basically look at the packet flow diagram... first the packet hits the nat chains and gets changed... then it hits the forward chain... so you need both the DSTNAT and the Accept if you want it to work...

EDIT: NOTE!!! the forward rule will have to match the packet AFTER the NAT... so noticed I used the internal ip and the forwarded port.

Re: cannot access ip-camera from the outside

Posted: Fri Mar 14, 2014 2:24 pm
by Norman29
The DST-NAT rule only changes the incoming packet. If you have a default drop in the forward you need a rule above it to allow that incoming request..

you'll want something like:

ros code

/ip firewall filter
add chain=forward dst-address=192.168.0.5 protocol=tcp port=6080
That will actually allow the request...

Basically look at the packet flow diagram... first the packet hits the nat chains and gets changed... then it hits the forward chain... so you need both the DSTNAT and the Accept if you want it to work...

EDIT: NOTE!!! the forward rule will have to match the packet AFTER the NAT... so noticed I used the internal ip and the forwarded port.
Great! 8) That worked. So frustrating and yet so logical to get that problem fixed...
Thanx for your help!

Re: cannot access ip-camera from the outside

Posted: Fri Mar 14, 2014 7:22 pm
by efaden
The DST-NAT rule only changes the incoming packet. If you have a default drop in the forward you need a rule above it to allow that incoming request..

you'll want something like:

ros code

/ip firewall filter
add chain=forward dst-address=192.168.0.5 protocol=tcp port=6080
That will actually allow the request...

Basically look at the packet flow diagram... first the packet hits the nat chains and gets changed... then it hits the forward chain... so you need both the DSTNAT and the Accept if you want it to work...

EDIT: NOTE!!! the forward rule will have to match the packet AFTER the NAT... so noticed I used the internal ip and the forwarded port.
Great! 8) That worked. So frustrating and yet so logical to get that problem fixed...
Thanx for your help!
No problem.

Re: cannot access ip-camera from the outside

Posted: Mon Mar 31, 2014 4:01 am
by francisuk24
Just wonted to add, i was having problems port forwarding using NAT but this seemed to work for me.
Replace 192.168.1.8 with your internal IP cam and port 8081

/ip firewall nat
add chain=dstnat action=dst-nat to-addresses=192.168.1.8 to-ports=8081 protocol=tcp dst-port=8081
All times are UTC+02:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/