Yes, this setup is positively screaming double NAT.

Untangle cannot forward something that's not even making it to it.

What is the IP address on Untangle's External interface? If it's 192.168.anything, or 10.anything, or 172.16.anything those addresses are not internet valid, and you have something upstream that's receiving all the public communications and as such, any router much less Untangle operating behind it cannot do anything with the communications.

Now, don't take this the wrong way. It's not an insult, you're trying, and you're learning which is the best possible combination of traits where you are. You're exactly the sort of person I'd love to be working with on anything out there. But you need to be aware this phrase "I'm not that bad of a network tech.", plus this situation means you ARE that bad of a network tech. This issue is an IP 101 issue, very basic.

But again, you ARE showing solid troubleshooting skill, adaptability, and self learning. So all you're left with is the eternal process of curing your own ignorance, something we never stop doing. And because you're learning I'm going to suggest a few things to hopefully help you side step the next few landmines you're likely to run into. Or at very least hopefully help you figure out the right questions to ask so we can help you move forward.

First, get that cable modem into bridge mode. It should allow the Untangle router to get a real public IP address on external directly. This will eliminate the second layer of NAT, and greatly simplify your life. Untangle will then have the visibility to enable its reports engine to help you investigate situations like this more quickly. Pay attention to what those reports show you, understand it, and you'll be a solid network tech in no time.

Second, I see you're working with a camera with a web server hosted on it. The web URL you provided is HTTP, and since there is no port number in it, AND I assume that link works inside your network, that means the service is operating on the default port of TCP 80. You have forwarded TCP 10080 to the device's 10080 internally. For that to work, your test link would have to be this: http://192.168.1.173:10080/snap.jpeg. So I assume that new port field needs to be 80, if you want http://real.world.ip.addr:10080/snap.jpg to work.

Third, and this is a tangentially related thing. Untangle steals TCP 443, which is used for HTTPs connections. You cannot forward TCP 443 without moving the Untangle https service port first. Again this isn't technically related to this specific process, just something to keep in mind when working with web services behind Untangle in general. So make sure you keep your protocols straight, TCP 80 is for HTTP, and TCP 443 is for HTTPs.

Finally, I do not recommend you complete this procedure and leave it in production. Do so as an exercise sure, but be aware that devices like IP cameras are notoriously full of security holes, and their exposure online directly can and will result in your network being exploited at some point in the future. It's highly recommended that you use a VPN to get to your network, and run this sort of thing over that. However, if you don't get a public address on Untangle itself, getting any of its VPN modules online is going to be a CHORE. If you want to jump in the deep end... Make Untangle's VPN apps work behind another NAT device. That's beast mode... It's also hair loss mode... swearing mode... and possibly sleep depriving mode... But if you're up for the deep dive because you really want to know how TCP/IP and NAT work, that's your lab!

If you're stuck with that cable modem owning your public address you'll have no choice but to attempt beast mode. I don't recommend it if possible, but we'll try to help you get that done too if that's what you're stuck with.

And welcome to the Untangle Forums!

P.S. I'm going to say it again, exposed cameras are BAD! Beware!

Depends on what port, Hikvision Port 8000 is perfectly safe. If you open http or https or rtsp to cameras yes that's BAD.

No... it isn't. Any service on a device that doesn't receive monthly security updates is at risk just being on a LAN. That's why we have IoT VLANs. Increasing that risk by opening it up to the Internet is just foolishness, it's a time bomb plain and simple.

You can do that if you wish, I will not, nor will I support it. The risks of breach are too huge, the money involved too high. SDLAN all the things!

10 years going strong ! Not a single issue ! yes it's on it's own Lan network & protected BUT port 8000 for Hikvision Cameras is perfectly safe. It won't respond to anything but the Hik App.

Until it doesn't... that's the nature of this work we live in. I require all publicly exposed anythings to be monthly patchable or they simply don't get exposed.

Thank you for the help and the quick judge analysis of my skills That was an artful reply and made me even a little suspicious of a part cut and paste. Anyways, port forwarding has always pissed me off, probably because I've never been on the edge device, I always handed it to one of my engineers to do. I previously owned StrongVPN.com so I like the idea of using a VPN, who doesn't love a good VPN? My first IP network I dealt with was in 96, my knowledge of networking is a patchwork as I never had the time to waste on my level. But I promise you, I've spent over a hundred hours working in loud cold datacenters, wiring racks, and trying to ssh into a server that everyone wants back up again. So I probably have a little more knowledge than you think I might have.

The cameras don't have a webserver, it's a NVR from Unifi that is serving up the images


I looked on the manual before, there was no mention of bridge mode. Maybe that's default when they don't mention it? I emailed support asking them if it was possible.

Don't read into his comments, most of the time they come off snarky and a$$ hole ish, but he means good. As you can tell he comments on "EVERY" post that gets posted on Untangle forum here.

haha no no, I'm not offended it's accurate to some degree for sure. Just thought I'd say a bit more about my background, his comments totally helped and I'm grateful. Now that I'm retired I have a bit more time to fill in my gaps of knowledge, I appreciate any feedback and additionally I feel relieved to have found this resource for advice and opinions. I was a manager / owner / marketer in the ISP business who hired network engineers, but never considered myself anything better than a hack at best.

Perfect time to play & learn now then

And now you're in the weeds arguing with double NAT!

You're in the deep end sir! I'm trying to get you out of it. Are you using COX by chance? Their "home routers with wifi" have a feature in their web UI to smack them into bridge mode. It reduces them to a simple cable modem, it's fairly straight forward. And then Untangle with external by default will get a public address and all this insanity evaporates.

Yep! and an update if anyone is in a similar situation. Turns out my Arris CM8200 defaults to Bridge Mode. There's no setting or anything in their documentation that I could find that denotes that.

With the security concerns I'll be using a local IP on my own network in my panels to stream a jpeg refresh. Sharptools make's an awesome panel that intergrates with everything well, but the security camera options are limited.