Can't get any ports to forward except 80

[Giddy169 0]

I am trying to view my security cameras remotely and I am using ATT cellular to send the video feeds. I had ports forwarded with AirVPN with OpenVPN setup on my old router. It has recently died so I setup OpenVpn on my new router. I did TCP instead of UDP on port 443 and if I try to forward any ports other than 80 I never get the green box. I think I use to forward 8000 but that no longer seems to work. Any suggestions?

[OpenSourcerer 1435]

In this case you need to forward the local port you set on AirVPN to the port your IP camera is listening on, something like this:

Internet (AirVPN remote port) |------------| (AirVPN local port) new router (AirVPN local port) |-----------| (listening port) IP camera

Your setup is a double NAT, therefore two port forwards are needed. It is important that you do the second forward for the tunnel interface tunX, X being a number, usually 0.

[Giddy169 0]

Thanks You are correct it is a double NAT. So the first port forward should be done in my Asus router settings Administrator-commands then I should be able to forward that port in Airvpn?

or do I just go into the router settings for port forwarding sorry it has been years since I had to do this.

[OpenSourcerer 1435]

Can't really answer you since we don't know what router, router OS and its version you are using.

[Giddy169 0]

I am using the Asus RT-AC68U Firmware 3.0.0.4.376-3626.
I attempted to just forward the port with my security camera IP and port but have been unsuccessful. In my old router I had this but I am not sure if helps and not sure if I need that in the new one.
iptables -I FORWARD -i tun0 -p udp -d destIP --dport port -j ACCEPT
iptables -I FORWARD -i tun0 -p tcp -d destIP --dport port -j ACCEPT
iptables -t nat -I PREROUTING -i tun1 -p tcp --dport port -j DNAT --to-destination destIP
iptables -t nat -I PREROUTING -i tun1 -p udp --dport port -j DNAT --to-destination destIP

I also had this command which I think was to block internet access if the VPN was not connected?
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
iptables -I INPUT -i tun0 -j REJECT
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

Thanks for the help.

[go558a83nk 362]

if you are running the openvpn client on your router then  you do need to use iptables such as the above.

Just make sure to correct the tun device number

[Giddy169 0]

Would the destination IP be the cameras IP or the router running OpenVPN? So far I have been unsuccessful and currently have no ports reachable anymore. I upgraded the asus firmware to Merlin because I didn't see a way to us the asus firmware with iptables. If I run the iptables I don't have to do the forward ports in the router, the ip tables do that?

[go558a83nk 362]

destination IP is your camera IP.  if you used just the built in port forwarding of the router that forwards from WAN to LAN.  You need to forward from TUN to LAN.

If port forwarding was working then it wasn't working through the VPN.

[Giddy169 0]

Ok so I still have not got any ports forwarded. This is my setup:
Currently I have my computer hooked through my router with the IP address I will be using for the cameras after I get a port open.  I have setup a jffs scripts that begins on my routers startup to forward ports 8000 and 2000 to my computers ip (eventually cameras ip). When I go to System Log - Port Forwarding in my router under virtual servers it shows:

Source	Proto	Port range	Redirect to	Local Port	Chain

ALL                                                                               TCP                                     8000                                                 Commputer IP                                                 8000                                       Prerouting
For both UDP and TCP for ports 2000 and 8000. Is the Local Port or Port range supposed to the port number that is forwarded from AirVPN?

When connected to the VPN with the Nat-start script below I get Connected (Local: x.x.xxx.xx - Public: unknown)  internet works and AirVPN says I am connected to the server but no forwarded ports.

iptables -I FORWARD -i br0 -o tun11 -j ACCEPT
iptables -I FORWARD -i tun11 -o br0 -j ACCEPT
iptables -I INPUT -i tun11 -j REJECT
iptables -t nat -A POSTROUTING -o tun11 -j MASQUERADE


iptables -I FORWARD -i tun11 -p udp -d destIP --dport 8000 -j ACCEPT
iptables -I FORWARD -i tun11 -p tcp -d destIP --dport 8000 -j ACCEPT
iptables -t nat -I PREROUTING -i tun11 -p tcp --dport 8000 -j DNAT --to-destination destIP
iptables -t nat -I PREROUTING -i tun11 -p udp --dport 8000 -j DNAT --to-destination destIP

[Staff 9973]

@Giddy169

Hello!

Can you please recheck your tun interface name with command ifconfig or ip link show from a telnet or ssh connection to your router? Just in case it's not "tun11". Check also whether "br0" is correct or not.

Moreover, what is that destIP in the script you pasted, in FORWARD and even in the PREROUTING chain of the nat table? "destIP" must be replaced with the actual IP address you want to pre-route and forward packets to.

Kind regards
 

[Giddy169 0]

In ifconfig the first paragraph has br0 and the 7th shows tun11.

The destIP in the script is my Computer (Eventual surveillance cameras) 192.168.1.xx

The setupy is Computer(192.168.1.xx)-Asus router running VPN (WAN 192.168.2.xx)- Netgear Nighthawk mobile Hotspot )-local ip 10.6.xxx.xx-public ip shown on AirVPN 107.167.xxx.xx

Thanks for the help I am not sure how I managed to get them working two other times before my old router on DDWRT finally fried with a CA power outage but I sure can't seem to get it to work now.
 

[Staff 9973]

@Giddy169

Hello!

Also make sure that the camera software is listening to port 8000 and not binding to the physical network interface, and that you try to access the camera on the correct exit-IP address of the VPN server, and the proper port (the port you have remotely forwarded and that you remapped to your local port 8000).

Furthermore, make sure that no firewall blocks packets to/from the software when the system is connected to the VPN and that you try to access the camera software from a device that's not connected to the same VPN server.

Kind regards
 

[Giddy169 0]

Currently I have the Computer setup with a static IP address that the cameras will be on to test the port forwarding. So I go into AirVPN forwarded ports select the port 8000 that I forwarded and I never get the green light. I assume this means the ports are not forwarding correctly so I have not bothered to hook the cameras to the router, is this a correct assumption? Maybe it is the Asus Merlin Firmware I may try ddwrt

[go558a83nk 362]

it has been said over and over in this forum that for port forwarding "green light"  the actual server must be on and listening and replying to incoming connections.  of course you don't get the green light if the device (camera) isn't even ready to reply.

[Giddy169 0]

Ok I will hook it to the cameras, first thing in the morning and see if it works. Thanks for correcting my lack of knowledge I thought that since my IP address for the computer was what I was setting for the cameras it would still be checking if I was checking the forwarded port. That makes sense that it wasn’t listening it wouldn’t work.  If it works tomorrow I will owe you some beers. This has been frustrating me.

Thanks guys that was the piece I was missing plugged in the cameras and everything works. Not sure how I missed that the cameras had to be plugged in listening!

[Staff 9973]

@Giddy169

Yes, a port is just an abstract construct to represent how a host identifies a running process, so that from 2 specific bytes on IP packets the host knows which process must receive those packets payload. If the process does not exist you can't even talk about "open" or "closed" port, simply the port does not exist. However, it's true that a non-existing port is often called a "stealth port" or even "closed port", but that's a sort of language abuse if you think of the actual definition of "port".

Kind regards