How best to use RTSP helper

I've been using the RTSP helper by setting
net.netfilter.nf_conntrack_helper = 1
for many years. I'd like to switch to the more secure approach of leaving
net.netfilter.nf_conntrack_helper = 0
with explicit firewall rules containing
-j CT --helper rtsp
to invoke the helper only when appropriate.

In Luci, under Firewall - Port Forwards - advanced settings,
there's an option to "Match helper", but choosing
RTSP connection tracking
causes connection refused on all attempts to access the RTSP port.

Am I misunderstanding the Match helper option?
Has anyone managed to get the RTSP helper to work without setting

net.netfilter.nf_conntrack_helper = 1


nft list chain inet fw4 helper_lan | grep -e rtsp

output of:

nft list chain inet fw4 helper_local


table inet fw4 {
chain helper_local {
meta nfproto ipv4 tcp dport 554 ct helper set "rtsp" comment "!fw4: RTSP connection tracking"

I renamed my lan ==> local

1 Like

Hey There,
I'm having the same issue with RTSP and i've been hitting a wall, maybe you can clarify how it is you resolved this?

I know that when I do RTSP via TCP it works using port forwarding but the RTSP helper has to be off, we are trying to do RTSP via UDP and it fails when I look at the wireshark dump I can see the RTP traffic hitting our router but I dont' see it translating it to the WAN.

any help is appreciated.