Solved [IPFW] can't see rtsp from local camera from internet

[Ishayahu]

I have local camera with ip 192.168.1.91
I can see rtsp stream or open video in web browser from LAN
but I can't forward ports or traffic to see it from internet
Even I can open camera's web interface from internet


/etc/rc.conf

hostname="ROUTER-NEW"
### WAN ###
defaultrouter="62.117.93.9"
ifconfig_re0="inet 62.117.93.14/29"
ifconfig_re0_alias0="inet 62.117.93.10/29"
ifconfig_re0_alias1="inet 62.117.93.11/29"


### LAN ###
ifconfig_vr0="inet 192.168.0.10 netmask 255.255.0.0"
ifconfig_vr0_alias0="inet 172.22.1.1/16"
ifconfig_vr0_alias1="inet 192.168.1.1 netmask 255.255.255.0"

dhcpd_enable="YES"
dhcpd_ifaces="vr0"

sshd_enable="YES"
moused_enable="YES"

firewall_enable="YES" # enabling ipfw
firewall_nat_enable="YES"
gateway_enable="YES"
firewall_script="/usr/local/etc/ipfw/rc.firewall.test"

/usr/local/etc/ipfw/rc.firewall.test

#!/bin/sh
wan="re0"
wan_ip="62.117.93.14"
lan="vr0"


cmd="ipfw -q"

#### Rools ####

$cmd -f flush

# Allow all trafic for local interface
$cmd add 100 allow ip from any to any via lo0

# Deny access from out to local if
$cmd add 200 deny ip from any to 127.0.0.0/8
$cmd add 300 deny ip from 127.0.0.0/8 to any

# Allow ssh
$cmd add 400 allow tcp from any to $wan_ip 4322 in via $wan
$cmd add 410 allow tcp from $wan_ip 4322 to any out via $wan established
$cmd add 420 allow tcp from any to $lan_ip 4322 in via $lan
$cmd add 430 allow tcp from $lan_ip 4322 to any out via $lan established

# Allow DNS queries
$cmd add 500 allow udp from any to $wan_ip 53 in via $wan
$cmd add 510 allow udp from $wan_ip 53 to any out via $wan established

# Allow UDP (for time sync - 123 port)
$cmd add 600 allow udp from any to $wan_ip 123 in via $wan
$cmd add 610 allow udp from $wan_ip 123 to any out via $wan established

# Allow all connections on lan
$cmd add 900 allow all from any to any via $lan

$cmd nat 1 config log if $wan same_ports unreg_only reset redirect_port tcp 192.168.1.146:80 8080 \
                                                          redirect_port tcp 192.168.1.91:554 5541 \
                                                          redirect_port udp 192.168.1.91:554 5541 \
                                                          redirect_port tcp 192.168.1.91:80 8081

$cmd add 1000 nat 1 log ip from any to any via $wan

# Deny all other
$cmd add 65534 deny log all from any to any

What I'm doing wrong?

 

[Ishayahu]

it doesn't work by port forwarding
I thought, that the reason is that client sent rtsp request with WAN ip, and camera doesn't answer to it because it knows only it's local ip
so you need to install and setup bounce like that:

bounce_enable="YES"
bounce_connections="webcam96"
bounce_webcam96_options="-a WAN_IP -p 5541 LOCAL_IP 554"