RTSP viewing not accessible through Pfsense from internet

[Jay Cahow]

I have a Hikvision IP camera which I am trying to stream using RTSP by coming through Pfsense 2.7 using my internet domain name.

I can RTSP stream the IP camera just fine when it is accessed from my internal (10.0.0.237) network. I can also access it just fine from the internet to view the internal web viewer. I cannot seem to access it from the internet when trying to RTSP stream.

I am using Pfsense 2.7 on my Router and have port forwarded the HTTP port (93) to the appropriate internal address and this allows access to the web viewer.
I have also port forwarded the RTSP port (567) to the same internal address but this does not seem to allow the RTSP through as I have tried three different iOS streaming apps and none connect.

Since it streams and views fine on my internal network I know the IP camera and ports number setup are working fine. Since I can view the internal web viewer remotely I know the Pfsense port forwarding and firewall process are working fine (at least for the HTTP port).

This leads me to think that I am missing something in Pfsense in regards to what I actually need to port forward. Apparently I either have it setup incorrectly in Pfsense or I need to allow something else through Pfsense to view the RTSP stream.

I have the NAT rule setup in Pfsense on the WAN interface as a TCP/UDP pointing to the camera's internal address and RTSP port number just like I have on the HTTP port rule.

10.0.0.237:93 Views just fine
rtsp:/10.0.0.237:567/Streaming/channels/101 Streams just fine

xxxxxx.ddns.net:93 Views just fine (my external domain name port forwarded in Pfsense)
rtsp:/xxxxxx.ddns.net:567/Streaming/channels/101 never connects (my external domain name port forwarded in Pfsense)

I can ping xxxxxx.ddns.net fine so I know my router is seeing the RTSP request just fine.

Can anyone tell me if I need to open more ports in Pfsense and what they are or how to configure the RTSP port in Pfsense to allow external streaming?

 

[Dominik21]

I don't think that you need to open more then one port for rtsp. Did you try to use the Http-Port (93) for rtsp?

 

[bp2008]

Try checking the port with Open Port Check Tool -- Verify Port Forwarding on Your Router. This will likely only test TCP traffic (not UDP) but it should be enough. Don't use IPCamtalk's port checker, as it fails to connect to everything but 80/443 in my experience.

Screenshot your port forwarding rule and we can check it for errors.

Sometimes devices will block specific port numbers that they think are used for malicious traffic. Try changing the external port in your port forwarding rule to 55544 for example (no need to change the port your camera listens on as long as it matches "Redirect target port" in pfSense).

 

[The Automation Guy]

And not to be a dick, but I'll give the standard answer of "You really shouldn't be forwarding ports on your router/firewall, but instead use a self hosted VPN service instead."

When you set up and use a self hosted VPN (which is very different from the "internet VPNs" that are paid/free that you see advertised constantly on the web) and you log into your network while remote, your device will appear on the local network just as if you were at home. To access your camera and feeds, you would use the exact same local ip address (192.168.1.4 for example) that you would use if you were physically at home on the local network. This makes it very easy to do things because there are no special urls that you need to use.... no ports numbers that need to be added, etc.....

Not only is it easier to do things while connected remotely, it is also FAR more secure. Every time you forward a port in your router/firewall, you are punching a hole in the very thing that is protecting you from outside threats. Typically these ports are also not secure which means the router/firewall simply passes along all data coming into that port without any security/limitations. You are really just one exploit away from a hacker having complete access to your network. That's not made up "movie drama" either - it's a real threat. With a VPN connection, you only forward a single port and it requires an encryption key to be validated before the system will allow any traffic through. This means every remote device must have a matching encryption key before it will have access to the network. It's the use of the encryption key makes this solution much more secure.

pfSense supports a lot of different VPN solutions - OpenVPN, Wireguard, etc, etc. There are also lots of tutorials online that make it relatively easy to set up. I had no prior VPN experience and was able to get it set up on my pfSense system without a lot of trouble.

We do have a VPN Newbee Primer thread on this forum as well.... It won't give specific instructions on how to set one up, but it is stull full of good and useful information. VPN Primer for Noobs