I have port 123 on all of my network segments being redirected to OPNSense via a NAT Port Forward. This works on all of them except for one VLAN. AFAICT, there are no differences in the rules configured for the various segments.
If I do a packet capture, I can see all of the NTP requests being generated, but OPNSense never replies back to any client on this VLAN. NTP is configured for all interfaces.
The only difference I can find is in the Firewall Live View. The successful segments all look like this.
VLAN1 -> CLIENTIP:123 OPNSENSEIP:123 udp Redirect NTP to OPNSense
VLAN1 -> 10.2.90.10:123 NTPSERVER:123 udp rdr rule
The problem VLAN looks like this.
VLAN2 <- CLIENTIP:49761 OPNSENSEIP:123 udp let out anything from firewall host itself
VLAN2 -> CLIENTIP:49761 OPNSENSEIP:123 udp Redirect NTP to OPNSense
VLAN2 -> CLIENTIP:49761 NTPSERVER:123 udp rdr rule
Weirdly, on LAN there's only this.
LAN -> CLIENTIP:40727 NTPSERVER:123 udp rdr rule
Any suggestions of what to check next?
Thanks.
Where's my facepalm emoji? Turns out that the gateway on the VLAN was set differently from all of the others, so when the NTP requests were port forwarded, there was nothing there to listen to them.
Setting the gateway to the correct ip fixed the issue.