Cannot access RTSP over WAN

jcahow

I have a Hikvision IP camera which I am trying to stream using RTSP by coming through Pfsense 2.7 using my internet domain name.

I can RTSP stream the IP camera just fine when it is accessed from my internal (10.0.0.237) network. I can also access it just fine from the internet to view the internal web viewer. I cannot seem to access it from the internet when trying to RTSP stream.

I am using Pfsense 2.7 on my Router and have port forwarded the HTTP port (93) to the appropriate internal address and this allows access to the web viewer.
I have also port forwarded the RTSP port (567) to the same internal address but this does not seem to allow the RTSP through as I have tried three different iOS streaming apps and none connect.

Since it streams and views fine on my internal network I know the IP camera and ports number setup are working fine. Since I can view the internal web viewer remotely I know the Pfsense port forwarding and firewall process are working fine (at least for the HTTP port).

This leads me to think that I am missing something in Pfsense in regards to what I actually need to port forward. Apparently I either have it setup incorrectly in Pfsense or I need to allow something else through Pfsense to view the RTSP stream.

I have the NAT rule setup in Pfsense on the WAN interface as a TCP/UDP pointing to the camera's internal address and RTSP port number just like I have on the HTTP port rule.

10.0.0.237:93 Views just fine
rtsp://10.0.0.237:567/Streaming/channels/101 Streams just fine

xxxxxx.ddns.net:93 Views just fine (my external domain name port forwarded in Pfsense)
rtsp://xxxxxx.ddns.net:567/Streaming/channels/101 never connects (my external domain name port forwarded in Pfsense)

I can ping xxxxxx.ddns.net fine so I know my router is seeing the RTSP request just fine.

Can anyone tell me if I need to open more ports in Pfsense and what they are or how to configure the RTSP port in Pfsense to allow external streaming?

stephenw10

Seems like it requires additional ports. Do you see any blocked traffic from the external client IP in the firewall logs when you try to connect?

Does the camera have outbound access to open new connections back to the client IP?

Steve

elvisimprsntr

@jcahow

Instead of port forwarding unauthenticated cameras, have you considered enabling a VPN in pfSense?

NollipfSense

@jcahow said in Cannot access RTSP over WAN:

This leads me to think that I am missing something in Pfsense in regards to what I actually need to port forward. Apparently I either have it setup incorrectly in Pfsense or I need to allow something else through Pfsense to view the RTSP stream.

It seems that you need a RTSP server. https://antmedia.io/rtsp-explained-what-is-rtsp-how-it-works/
Does your camera comes with the server? Are you using your browser to view? I got some Hikvision cameras with a Hikvision NVR...you could use the NVR as a server...with IVMS 4200...that's how I view mine http:80.

pfrickroll

@jcahow What application/software are you using to view RTSP stream? Is port HTTP 93/RTSP 567 configured on the camera, and same ports on pfSense?

stephenw10

Since it works locally the server/service and client must be functional.

Unless it's proven otherwise I'd bet the camera is trying to open rtp connections back to the client and it being blocked but can do so when the client is local.

pfrickroll

@stephenw10 I work with RTSP streams with various brands all over US. If he port forwarded everything correctly it should work without any problems.