How can I forward an external WAN IP:PORT to internal LAN IP (no port desiganted)? Zyxel USG-20

OldTiger
OldTiger Posts: 19  Freshman Member
First Comment
edited April 2021 in Security

I'm sure this has probably been answered dozens of times, but I can't find any solid information.

I need to bring in an external (WAN) IP camera feed from an outside source, in order to add it to my NVR, I need to convert (fwd) IP+port (IP:PORT) to an internal IP (IP with no port designation) for my NVR to accept the feed. I do know how to open a port on my USG-20, and I kind of know how to forward an IP on it, but I can't figure out how to get it to convert the WAN IP+port (IP:PORT) to an internal LAN1 IP (IP with no port designation). Any help would be greatly appreciated!

«134

All Replies

  • warwickt
    warwickt Posts: 111  Ally Member
    First Anniversary Friend Collector First Answer First Comment

    HI OldTiger, this is very straight forward

    1. Configuration / Network/ INterface/ Ethernet / LAN1 .... ensure the cameras(s . "nvr_cam01, "nvr_cam02" etc ) have a reserved or static IP address on your LAN1 (10.200.210.0/24 example)
    2. optionally add them to you local DNS if you like
    3. Configuration / Object / Address-GeoIP /Add IPV Address / Add .. : create a host object for your camera(s) i.e: nvr_cam01_host , type: host , address: 10.200.210.231
    4. Optionally do the same for IPV6 - RA and reservation etc etc
    5. Configuration / Object/ Service Service Add : ad configure anytime for a WAN service and some port that can be accessed. IF you can soft configure the external wan's camera to use ANOTHER service number / port such as 65481 for example. it will help a little to restrict the access. In any case lets use the default cameras' port service as 19432 (I just made it up ) . IF this is not available in the list of existing services, then configure one as follows: name: tigers_ext_cam , IP Protocol : TCP, Starting Port : 19432, Ending Port 19432
    6. CONfiguration/ Network/ NAT ; Add dd a NAT rule to redirect any inbound WAN 19432 traffic to your camera at nvr_cam01_host at port 19432 dd. Rule Name: tigers_wan_camera_nat; Port Napping Type : Virtual Server; Incoming Interface ; WAN1; External IP : WAN_ANY_IP; Internal IP: nvr_cam01_host ; Port Mapping Type: Service; hh External Service: tigers_ext_cam ; Internal Service: tigers_ext_cam;
    7. now allow it through the WAN with an ACL: Configuration / Security / Policy Control / Add -- enable, rule name , description ... etc ; From: WAN; To: LAN1; Source: WAN_ANY_IP ; Destination: nvr_cam01_host; Service: tigers_ext_cam; Action: allow ; [OPrionally Log Matched Traffic] {so you can see if it gets through. Great for debugging.
    8. use a TELNET command from outside the WAN to see if you get a prompt. (telnet wan_ip 19432).
    9. Lastly use the usg20wvpn log to look at any ACL errors ... and also successful FORWARD .. then you can see its working
    10. use the included standard LAN1_WAN (Any) Policy route will route the traffic back out to the lan.. so leave it as is.

    There's plenty of example of this out in these forums and also on DSR forums.

    hth


    Good Luck

  • OldTiger
    OldTiger Posts: 19  Freshman Member
    First Comment

    Thank you for the long & detailed reply warwickt. I like to think I am at least an intermediate if not advanced PC tech, but your jargon made me feel like a newbie. Unless I misunderstood your directions, I think #1 on your list will describe a different scenario then what I'm trying to do here.

    The IP camera(s) I want to add to my NVR are not on my LAN at all. I want to grab an external IP:PORT (WAN) (i.e. 23.241.176.188:250). Then, if I can forward 23.241.176.188:250 to my LAN as 192.168.1.250 I would be able to add it to my NVR.

    Yes, I can change the port on the IP cameras to any port I choose, so for conversation sake I made it port 250.

    I supect I am doing something wrong on my NAT or Service (#6 in your reply).

    NAT screenshot attached here.

    Thank you for your assistance!

  • PeterUK
    PeterUK Posts: 2,699  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer

    So the IP camera is connecting to you by 23.241.176.188:250 ?

    I thought a NVR connects out to the IP camera?

  • OldTiger
    OldTiger Posts: 19  Freshman Member
    First Comment

    It is not connecting to me now, thus my query here. My NVR (Dahua) only connects to internal LAN IP's. What I am trying to do is import an external WAN IP:PORT into my USG-20 and forward it to an internal LAN IP so my NVR can see it & use it.

  • PeterUK
    PeterUK Posts: 2,699  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer

    So with the rule you have done have you also make a firewall rule (Policy Control)?

  • OldTiger
    OldTiger Posts: 19  Freshman Member
    First Comment

    Yes, but not sure if done correctly.


  • PeterUK
    PeterUK Posts: 2,699  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer

    Looks like you done it right.

    Maybe I'm wrong but is your problem that the NVR can only connect out to IP camera in your LAN but not out to an external WAN IP? If so then there might be a way using routing and virtual interface to ack as the IP camera to then NAT the destination IP to the WAN IP camera with a routing rule.

  • OldTiger
    OldTiger Posts: 19  Freshman Member
    First Comment

    "your problem that the NVR can only connect out to IP camera in your LAN but not out to an external WAN IP" = CORRECT!

    The rest of your comments were slightly confusing, but I think you grasp the right concept. The problem is... I have been unsuccessful in my attempts thus far! And hence my post here :)

    Thank you for your efforts to help.

  • PeterUK
    PeterUK Posts: 2,699  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer

    Ok if we been going about this the wrong way and if I'm right heres what you do.

    On LAN1 make a virtual interface with IP 192.168.1.254/255.255.255.0.

    Make your NVR to connect to 192.168.1.254

    Make a NAT virtual server with the following:

    Incoming Interface LAN1

    Original IP User defined

    User-defined Original IP 192.168.1.254

    Mapped IP User defined

    User-defined Mapped IP 23.241.176.188

    Port mapping with port 250

    then next make a routing rule with the following:

    incoming interface

    member LAN1

    service port 250

    next hop

    type interface

    interface wan1

    address translation outgoing-interface

    and If I'm right that should do it.

  • OldTiger
    OldTiger Posts: 19  Freshman Member
    First Comment

    I must still be doing something wrong because it doesn't work as described.

    I don't know what you mean by "make a virtual interface with IP" so maybe that is the step I'm missing.

    NAT is as you described, and I believe the new rule is as you described:

    When I enter the IP 192.168.1.250 (you said 192.168.1.254, but we are on the same page on that) into my web browser, it loops back to the login for my page of my USG-20 (same as if I typed 192.168.1.1).

    Thank you for your continued help!

Security Highlight