How do I bypass USB-cam stream to other clients connected to uplevel router?

Installing and Using OpenWrt
1

Here is setup:

  1. Keenetic Router (192.168.2.1) provides "WAN" for my device with OpenWRT
  2. OpenWRT eth0 interface via DHCP-client receive it as uplink and get 192.168.2.150 "WAN" address and access to Internet
  3. OpenWRT eth1 interface (192.168.3.1) with DHCP-server provides DHCP for clients connected to eth1 via switch.

With help of motion package I set up USB-webcam connected to OpenWRT via eth1, so that it can stream video in LAN. So, when I connect my desktop to 192.168.3.X subnet and type in browser 192.168.3.1:8081 I receive http page with embedded video from USB-webcam. Everything if fine.

The problem is that clients connected to Keenetic (subnet 19.168.2.X) can not receive video stream from USB-webcam or motion, for that matter. I mean If I connect desktop PC to Keenetic subnet 192.168.2.X and type 192.168.2.150:8081 I have "connection refused".

I guess it is because of OpenWRT firewall, which do not allow connections to LAN from upper level network, which is considered WAN.

Can you please help me understand how do I fix that? I need to use port forwarding? Thank you.

UPD: As far as I understand I should forward outgoing traffic from 192.168.3.1:8081 (lan) to 8081 (wan)

Clipboard08
Clipboard081024×427 17 KB

But It does not work anyway. I guess I must check some checkbox somewhere? It seems that even such a simple settings are always counterintuitive and overcomplicated for no reason. I am completely frustrated.

UPD2: Well. It seems everything is fine now. I can access my webcam stream from upper level subnet.
Here is picture of working port forwarding

Clipboard09
Clipboard09957×420 16.5 KB

It is just seems wrong in some way, but it is working. I was always thinking about port forwarding FORM device, but in OpenWRT ideology, I persume, I must think about forwarding TO device. Well, or may be I just mistyped address several times...

2

Services hosted on the router itself (the motion package) use a Traffic Rule not a Port Forward. Delete this forward then click on the Traffic Rules tab and set up one to accept IPv4 TCP 8081 from wan. Leave everything else blank.

A Port Forward would be used if you had a server on the LAN side (a separate machine with a .3 IP address) which needs to be reached from the WAN side, and NAT is in effect. That is not the case here.

3

@mk24 is right, however this smells of an XY problem. A better approach overall may be a static route. First, tweak the OpenWRT router's firewall settings to allow forwarding from the wan zone to the lan zone and disable masquerading. Then create a static route on your main router like this: 192.168.3.0/24 via 192.168.2.150. This will get rid of the double NAT and allow both networks to communicate freely with each other, so devices on 192.168.2.0/24 will be able to talk to devices on 192.168.3.0/24 and vice versa without any port forwards or traffic rules.

I looked up how to do it on your Keenetic router, and the static route should look a lot like this:

  • Route type: Route to network
  • Destination network address: 192.168.3.0
  • Subnet mask: 255.255.255.0
  • Gateway IP: 192.168.2.150

The remaining options not listed above you'll probably have to figure out by trial and error, as I don't have a keenetic device to test on, but this should get you pretty close.