How can I forward an external WAN IP:PORT to internal LAN IP (no port desiganted)? Zyxel USG-20

OldTiger

I'm sure this has probably been answered dozens of times, but I can't find any solid information.

I need to bring in an external (WAN) IP camera feed from an outside source, in order to add it to my NVR, I need to convert (fwd) IP+port (IP:PORT) to an internal IP (IP with no port designation) for my NVR to accept the feed. I do know how to open a port on my USG-20, and I kind of know how to forward an IP on it, but I can't figure out how to get it to convert the WAN IP+port (IP:PORT) to an internal LAN1 IP (IP with no port designation). Any help would be greatly appreciated!

warwickt

HI OldTiger, this is very straight forward

1. Configuration / Network/ INterface/ Ethernet / LAN1 .... ensure the cameras(s . "nvr_cam01, "nvr_cam02" etc ) have a reserved or static IP address on your LAN1 (10.200.210.0/24 example)
2. optionally add them to you local DNS if you like
3. Configuration / Object / Address-GeoIP /Add IPV Address / Add .. : create a host object for your camera(s) i.e: nvr_cam01_host , type: host , address: 10.200.210.231
4. Optionally do the same for IPV6 - RA and reservation etc etc
5. Configuration / Object/ Service Service Add : ad configure anytime for a WAN service and some port that can be accessed. IF you can soft configure the external wan's camera to use ANOTHER service number / port such as 65481 for example. it will help a little to restrict the access. In any case lets use the default cameras' port service as 19432 (I just made it up ) . IF this is not available in the list of existing services, then configure one as follows: name: tigers_ext_cam , IP Protocol : TCP, Starting Port : 19432, Ending Port 19432
6. CONfiguration/ Network/ NAT ; Add dd a NAT rule to redirect any inbound WAN 19432 traffic to your camera at nvr_cam01_host at port 19432 dd. Rule Name: tigers_wan_camera_nat; Port Napping Type : Virtual Server; Incoming Interface ; WAN1; External IP : WAN_ANY_IP; Internal IP: nvr_cam01_host ; Port Mapping Type: Service; hh External Service: tigers_ext_cam ; Internal Service: tigers_ext_cam;
7. now allow it through the WAN with an ACL: Configuration / Security / Policy Control / Add -- enable, rule name , description ... etc ; From: WAN; To: LAN1; Source: WAN_ANY_IP ; Destination: nvr_cam01_host; Service: tigers_ext_cam; Action: allow ; [OPrionally Log Matched Traffic] {so you can see if it gets through. Great for debugging.
8. use a TELNET command from outside the WAN to see if you get a prompt. (telnet wan_ip 19432).
9. Lastly use the usg20wvpn log to look at any ACL errors ... and also successful FORWARD .. then you can see its working
10. use the included standard LAN1_WAN (Any) Policy route will route the traffic back out to the lan.. so leave it as is.

There's plenty of example of this out in these forums and also on DSR forums.

hth

Good Luck

OldTiger

Thank you for the long & detailed reply warwickt. I like to think I am at least an intermediate if not advanced PC tech, but your jargon made me feel like a newbie. Unless I misunderstood your directions, I think #1 on your list will describe a different scenario then what I'm trying to do here.

The IP camera(s) I want to add to my NVR are not on my LAN at all. I want to grab an external IP:PORT (WAN) (i.e. 23.241.176.188:250). Then, if I can forward 23.241.176.188:250 to my LAN as 192.168.1.250 I would be able to add it to my NVR.

Yes, I can change the port on the IP cameras to any port I choose, so for conversation sake I made it port 250.

I supect I am doing something wrong on my NAT or Service (#6 in your reply).

NAT screenshot attached here.

Thank you for your assistance!

PeterUK

So the IP camera is connecting to you by 23.241.176.188:250 ?

I thought a NVR connects out to the IP camera?

OldTiger

It is not connecting to me now, thus my query here. My NVR (Dahua) only connects to internal LAN IP's. What I am trying to do is import an external WAN IP:PORT into my USG-20 and forward it to an internal LAN IP so my NVR can see it & use it.

PeterUK

So with the rule you have done have you also make a firewall rule (Policy Control)?

OldTiger

Yes, but not sure if done correctly.

PeterUK

Looks like you done it right.

Maybe I'm wrong but is your problem that the NVR can only connect out to IP camera in your LAN but not out to an external WAN IP? If so then there might be a way using routing and virtual interface to ack as the IP camera to then NAT the destination IP to the WAN IP camera with a routing rule.

OldTiger

"your problem that the NVR can only connect out to IP camera in your LAN but not out to an external WAN IP" = CORRECT!

The rest of your comments were slightly confusing, but I think you grasp the right concept. The problem is... I have been unsuccessful in my attempts thus far! And hence my post here :)

Thank you for your efforts to help.

PeterUK

Ok if we been going about this the wrong way and if I'm right heres what you do.

On LAN1 make a virtual interface with IP 192.168.1.254/255.255.255.0.

Make your NVR to connect to 192.168.1.254

Make a NAT virtual server with the following:

Incoming Interface LAN1

Original IP User defined

User-defined Original IP 192.168.1.254

Mapped IP User defined

User-defined Mapped IP 23.241.176.188

Port mapping with port 250

then next make a routing rule with the following:

incoming interface

member LAN1

service port 250

next hop

type interface

interface wan1

address translation outgoing-interface

and If I'm right that should do it.

OldTiger

I must still be doing something wrong because it doesn't work as described.

I don't know what you mean by "make a virtual interface with IP" so maybe that is the step I'm missing.

NAT is as you described, and I believe the new rule is as you described:

When I enter the IP 192.168.1.250 (you said 192.168.1.254, but we are on the same page on that) into my web browser, it loops back to the login for my page of my USG-20 (same as if I typed 192.168.1.1).

Thank you for your continued help!