Text only | Text with Images

OPNsense Forum

English Forums => General Discussion => Topic started by: coalbl4ck on March 24, 2022, 11:29:33 PM

Title: Force all devices to use the ntpd server
Post by: coalbl4ck on March 24, 2022, 11:29:33 PM
I am new to OPNsense and was reading through my blocked traffic to see that my rules apply correctly when i noticed the block of NTP requests since i do have that port blocked for requests to WAN.

Now i read up and figured that you can reroute all NTP traffic to the inbuilt ntpd-server.
Now i want essentially the same as here in this thread https://forum.opnsense.org/index.php?topic=6492.0 (https://forum.opnsense.org/index.php?topic=6492.0).
Unfortunately the linked image got lost, however i am still confident that my configuration is mostly correct.
.. yet it doesn't work.

I have a NAT:Port Forwarding rule configured:
     
Code Select
Interface:        LAN
TCP/IP:           v4
Protocol:         UDP
Source:           LAN net
Destination
Invert:           check
Destination:      LAN net
Destination
port range:       NTP-NTP
Redirect
target IP:        127.0.0.1
Redirect
target port:       NTP
Pool options:     default
NAT reflection:   Disable

Also i checked whether the ntpd-server is actually running which looks pretty good:

Code Select

sockstat -l | grep :123
root     ntpd       83772 20 udp6   *:123                 *:*
root     ntpd       83772 21 udp4   *:123                 *:*
root     ntpd       83772 22 udp4   192.168.1.1:123       *:*
root     ntpd       83772 23 udp6   ::1:123               *:*
root     ntpd       83772 24 udp4   127.0.0.1:123         *:*


When i activate logging i can see that the NAT is matched for all WAN requests to port 123.
Tested with:
Code Select
sntp -t 15 0.arch.pool.ntp.org

I am pretty sure there must be a simple explanation/ solution. However currently i am just stuck.
Help is much appreciated! :)
Title: Re: Force all devices to use the ntpd server
Post by: Mks on March 25, 2022, 09:31:30 AM
Hi,

Target IP: LAN address

should do it as long as the NTP is listening on that Interface.

br
Title: Re: Force all devices to use the ntpd server
Post by: coalbl4ck on March 25, 2022, 12:10:55 PM
Thanks for that answer.

However, i am not sure i understand it correctly.

Selecting from 'Redirect Target IP' does not give me the option to select 'LAN address'.

The interface of the NTP server is on the localhost of the OPNsense server, so isn't 127.0.0.1 correct for 'Redirect Target IP'?

br
Title: Re: Force all devices to use the ntpd server
Post by: Patrick M. Hausen on March 25, 2022, 01:08:11 PM
127.0.0.1 should work. I have been using a similar setup. There is one minor "trick" in the port forwarding configuration: look way down at the "Filter rule association" field and set that to "Pass".
Title: Re: Force all devices to use the ntpd server
Post by: coalbl4ck on March 25, 2022, 01:20:05 PM
Yess that's it! Thank you!

I had set it to local redirect or something.. never thought that would be the problem.
Text only | Text with Images