IP camera with port forwarding

still pulling my hair out...reinstalled openwrt another 8 times since each time i try new settings out and reboot...gone...no ip, no ssh.

my lan ip is static, assigned static to my ip camera's internal settings, created port forward rule for port 1000 to 443 just like the ip camera's guide suggested and i'd had set up for 5 years with dd-wrt. i then go to network>interfaces>devices>add device configuration to create new bridge device, assign it to eth2(port 3) since eth0 is lan and eth1 is wan for me. box reboots ok...good. lastly i add a new interface, select the new bridge i named camera1, give it the same static, and add to lan firewall-zone. save/apply, reboot...and gone...never comes back

i need this setup so i can view camera feed from my cell while on the road like i've been doing for years on dd-wrt...don't like the idea of my phone becoming part of my home network even temporarily so not willing to use vpn/wireguard/etc

at this point i dont even care about more secure setups like adding a separate vlan for the camera...i just dont care after doing this for 4 nights after work now...im completely spent

probably doing something else dumb and could really use more help, thanks so much

If you want to create a separate vlan for your camera, it must be a different subnet than the lan.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
1 Like

Why would you need a new bridge device?
A simple port forward is enough to connect to your camera.
This assumes your camera itself is secured

As I would not trust the security of the camera, I would always choose something like a VPN to connect to my home.


hi psherman, thanks for reaching out. i dont want a vlan...to be honest i want my new protectli box to behave like my prior crappy asus router running dd-wrt where all the lan ports can be on the same 192.168.1 subnet. on all my prior routers the lan ip was, and my camera was times...everything worked. the ip camera itself has its own configuration and services because i have to give it my dynamic dns account info so it can remain connected when my isp gives me a new ip address.

So you don’t need to do anything special with your network config. Reset it to defaults. Then plug in your camera. If the camera uses dhcp to get its address, you’ll want to set a dhcp reservation to ensure that it has the same address all the time.

Then you can setup your port forward (although I agree with @egc, a vpn is a much better solution).

1 Like

thanks again psherman for the help here. i have to use static address because my dynamic dns service running on the ip camera frequently doesnt update regularly enough and i used to frequently get timeouts when using my phone to view the camera feed. as for dhcp reservation, i've never done that...certainly hope just giving a static ip is basically the same thing i'm trying to accomplish here. my whole network is in my head with all ip addresses memorized and i would sure prefer to keep it that way.

i'm not comfortable with my phone ever becoming part of my home network because that undermines the threat model i've got in place for what i'm trying desperately to transition to here.

i just desperately need your help as to why i can't get my new protectli box with these 4 seperate nics, to behave like my old crappy asus router where all the lan ports are on the same subnet

and i mean, if it really is somehow easier to set up a vlan, ok but just please help me with where to go and what to put where because one of the prior times i tried vlan with a separate ip and the box failed to reboot

Dynamic DNS is entirely different than DHCP (with or without a reservation) or Static IP.

DHCP is the automatic method for your camera to obtain an address on your network. Static IP is the other way — this is when you configure the device with the IP address information manually on the unit itself (camera in this case). A lot of IoT type devices do not even provide a means of setting a static (manually configured) IP address, but some do.

As long as your camera doesn’t have any significant bugs with DHCP, it should not cause problems to use DHCP. The DHCP reservation simply tells the DHCP server that you want to issue a specific/known IP address to a given client.

DDNS is a different thing — DNS is the “domain name system” which allows the domain (usually words like openwrt.org) to map to an IP address. Since many residential connections use dynamic IP addresses on the WAN, it may periodically change. The DDNS services simply update a domain you own to the latest IP you have on your wan. You can run these on OpenWrt (instead of your camera) and it should work flawlessly assuming the address is public and not RFC1918 or CG-NAT.

Please describe your reasons for this and the threat model you think is of concern. If you do anything personal at all on your phone, chances are that you are already treating it as a moderately or fully trusted device. Does your phone use your wifi when you are home? If so, your phone is already part of your home network.

Port forwarding from the internet to a device on your network means that you are exposing that device directly to the internet for hackers/bots to attack. Cameras and IoT devices are typically not very well secured and often have vulnerabilities that don’t get patched by the vendors. This means that port forwarding from the internet to your camera could expose your entire network if your camera gets compromised. (And this is to say nothing about the camera feed itself, unless you truly don’t care about the video being exposed to the world).

A VPN on the other hand, ensures that only devices with authorized cryptographic keys can connect. In the case of wireguard, the protocol itself only responds when the keys are correct, so if the keys are wrong, there is literally no response which means a very low attack surface.

Furthermore, you can use the OpenWrt firewall to limit what the VPN connection can access, so you can ensure that your phone (or anything else using the VPN) can access.

Using VLANs is a better way to secure your network if the camera itself could be a potential threat. But I think that this might be a bit more advanced than you’re ready for at this point.

hi psherman, sorry this got so radically reductive. could we swing back to where i asked about how to get my protectli box with 4 nics, to behave like my crappy old asus router running like dd-wrt where all the lan ports can be on the same 192.168.1.X?

for context: isp>modem in bridge mode>protectli box. i want ip camera to connect to box on lan side so that i can view video feed while on the road. the ip camera offers dynamic dns support so i have a subscription with a dynamic dns provider to keep track of my revolving isp provided ip address assigned to me. the ip camera also offers ftp service for sending screenshots of events based on motion to an offsite or onsite ftp server. i chose offsite. i've done this for 5 years with dd-wrt on asus, and before that for 10 years prior with tomato on linksys wrt54g. i'm in a new ballgame with this new protectli box having separate nics and could use definitive guidance here.

Reset your openwrt router to defaults. It should do this in the standard config.

Plug your computer into one of the lan port. Done.

Camera into another lan port. Done.

nothing has dhcp. everything in my network is configured static except my wan interface to get new ip from isp

As long as your static ip addeesses don’t conflict with the default range ( it should be fine.

You can change the range of the dhcp server or turn it off entirely if you want

i'm really sorry but something isn't clicking in my head here.

-lan ip is plugged into eth0
-wan is eth1
-i tried many times before to set ip camera's config to new static ip, say in it's configurator
-then plug in the camera to eth2, create device under device tab choosing "network device", eth2 as existing device, click save and then save/apply
-go to interface, add new interface, name it something clever like "camera", set protocol to static, select ethernet adapter eth2, put in the ipv4 address field, /24 like everything else lan side in my network
-then disable delegate ipv6 prefixes under advanced
-and under firewall settings i assign firewall zone to lan
-its dead...nothing...can't ssh, no internet passing, no webgui

exactly as you described that it should just work like my old asus router out of the box, is exactly what i thought too but something is keeping this thing from booting back up. i'm so lost and/or in over my head

You need it to be in the same subnet as your lan.

No. Don’t do any of this. Default config. Don’t mess with the interfaces and devices. You are over complicating this.

ok i'll try now...

-set everything to default
-put in the ip camera's configurator so it's static
-plug it into eth2
-set a port forward in openwrt from wan tcp/udp 4000 to 443 to the static address of like it says in the camera's manual
-see if it just works like i hope...

I'm not sure if this has been mentioned yet but on an x86 only the first two Ethernet ports are automatically assigned (one is wan, and one is in br-lan as its only active port). To extend LAN functionality to the rest of the ports like a typical consumer router works, you would need to add them to br-lan.

Do not create a new bridge or create a new interface. You can (and should) do that later for more security, but for now just connect the camera into lan and give it a lan IP so you can learn how to set up port forwarding and ddns. (though as others said, exposing a camera directly to the Internet is not good security practice).

1 Like

hmmm shoot...hope i haven't given myself all this grief by deleting that br-lan. it looked like i didn't need that functionality as like i said above i thought everything would just work rather easily where all nics would be bridged.

did i screw everything up by deleting that default br-lan?

From a previous post, I seem to recall seeing br-lan with all the lan ports. But the op hasn’t reposted the config, so I may be mistaken.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

but anywho, thanks so much to the both of ya. about to go offline for a few to set default and reconnect everything

oh sorry, just saw. i'll pull this now before going offline for a few and post it here in a sec

ubus call system board:


everything else the same as last time i posted