Posted: Sun Jun 29, 2014 14:30 Post subject: Port forward to wireless client
This is an offshoot of my questions on another thread. That thread may be overcomplicating the situation, so I wanted to just ask about the simplest issue at hand.
I have two wireless security cameras that run a webserver on port 80. I want to access those cameras from outside the router. I've setup port forwards, however I can never establish a connection to either camera. The browser will just time out. Port forwards to wired clients work just fine, it's only to wireless clients that I have this problem. If I ssh into the router setting up a SOCKS proxy port, then I can access the cameras using that proxy.
It appears it has something to do with the bridging of the wired/wireless networks when dealing with port forwards.
Here is a dump of the iptables. The cameras are on IP addresses, 192.168.1.201/203. Any other forwards you see there are wired client ports that work.
By the way, I should mention I've tried this with 4 different routers, 3 were dd-wrt based, and one wasn't and still couldn't get this working. Is there some inherent inability for routers in general to port forward a service on a wireless client? If so, is there something I can do via IPTABLES, etc. to make this work?
Does anyone have any ideas on this? I would really like to get port forwards to work. I'm doing this so my home automation gateway can grab images from the cameras. I've currently hacked it up so the home automation gateway creates an ssh connection into the camera router setting up ssh tunnel connections to each camera. This works, but it requires me to monitor the connection in the gateway and restore it if it goes bad or if the cameras cannot be accessed.
It would be much simpler if the port forwards just worked.
Port forwarding is to an ip address. It does not matter ip the destination is on a wlan or on cable.
You can only forward port 80 to a single unit. For the other camera, use port 81. In the browser the url must end with :81.
Use VPN to access your local network. That will give access to all resources.
Thanks for your reply. I do know how to setup port forwards and am doing that correctly. I've turned off UPNP. I'm also forwarding other wired clients on that router and have no problem, it's only with the wireless clients. I cannot access them through the port forwards. That's the frustrating part. As I said, I've tried 4 different routers. With all of them, I can access wired clients through port forwards, but not the wireless devices.
Obviously, internally there's a bridge setup between the wired and wireless networks so they can all act as one network. What it appears to me is that something is not allowing packets through port forwards to make it across that bridge.
VPN is not an option in this case. That's essentially what I'm doing with the SSH tunnels through the router. I really want to use the port forwards instead, and I don't understand why they aren't working.
Can you access the cameras from a lan port?
Is the camera connected over wifi?
Do the cameras have a static ip address or a static dhcp lease?
Yes, I can access the cameras fine from within the camera router's network. And the SSH tunnels I create from outside also work.
The cameras are wi-fi and have static IP addresses. If you look at the IPTABLE dump in my first post, the cameras are 192.168.1.201 and 192.168.1.203. 192.168.1.221 is the NVR which is a wired network device. I'm forwarding ports 80, 6001, 6002, and 6003 on it and that all works fine. No problem accessing it through the port forwards. When trying to access the cameras through the port forwards, it doesn't come back with an error such as connection refused or anything like that. It just times out.
Oh, and I've disabled the firewall completely on the camera router.
I'm not sure I understand what you are saying. I'm able to SSH to the camera router and by using the -L param, I can setup SSH tunnels to the two cameras. That works, but it's very troublesome to maintain that connection and reconnect as necessary. It's just an ugly hack to work around the fact the port forwards won't work like they should.
There must be some protocol or port you have missed.
What make and model is the cameras?
The cameras are Sinocam IPC-3016R. What the home automation gateway needs to do is pull a single frame from the camera which it would do by using the URL http://<cameraip>/cgi-bin/anv/images_cgi?channel=0&user=*****&pwd=*****
What I've done is have the home automation gateway SSH to the router and open tunnels to port 80 on the cameras. The SSH command being issued is:
and that works. I can grab the images with no problem.
Attached is an image of my port forward screen on the camera router. The cameras are forwarded to ports 20081 and 20083. Based on the above, I should be able to go into a browser and type:
but that just times out. The cameras also support telnet access. I have camera 1's telnet port forwarded to port 20021. Trying to connect to that also fails with a timeout after about 60 seconds or whatever the default timeout is.
Joined: 13 Aug 2013 Posts: 6870 Location: Romerike, Norway
Posted: Wed Jul 30, 2014 17:16 Post subject:
Have you tried to enter 0.0.0.0 as Source Net in the Forwards?
There are other threads that indicate that Forwards does not work with the Source Net blank on some builds.
What network is 192.168.123.0? Is it one you have control over?
It's a private address. Why running NAT?
Have you tried to put the camer in the DMZ?
Check the firewall logs for blocked packets.
Security->Firewall->Log Management
192.168.123.0 is my main router for my home. Since the cameras use a lot of bandwidth constantly streaming to the NVR, I put the whole system on it's own wireless router behind the main router. The camera router is at 192.168.123.220 on the main network.
I don't remember if I tried putting a camera in the DMZ. I will disable the current forward for port 80 (that goes to the NVR) and put one camera in the DMZ and see what happens.
The firewall is disabled on the camera router. I can turn on and check the logs on the main router. I think I've done that before and they just show nothing related to my requests to the cameras, but I'll check it out.