OPNsense Forum

English Forums => 26.1 Series => Topic started by: ddam191 on February 18, 2026, 03:12:01 AM

Title: NTP Redirect via DNAT
Post by: ddam191 on February 18, 2026, 03:12:01 AM
I'm trying to set up NTP redirects across my network using DNAT, but am running into issues where clients are still reaching outside NTP pools and bypassing my NAT rule.

I have the following set up under Destination NAT:

Interface: VLAN_2212, VLAN_2224, VLAN_2248, VLAN_2296 (i.e. all VLAN interfaces within my network)
Version: IPv4
Protocol: TCP/UDP
Source: all empty
Destination invert: checked
Destination address: This Firewall
Destination port: 123
Redirect target IP: This Firewall
Redirect port: 123
Firewall rule: Pass

I cloned this rule from a DNS redirect that seems to be working, so hopefully someone can tell me what I'm missing.
Title: Re: NTP Redirect via DNAT
Post by: OPNenthu on February 18, 2026, 03:28:29 AM
Any difference if you change "Redirect Target IP" to 127.0.0.1?
Title: Re: NTP Redirect via DNAT
Post by: ddam191 on February 18, 2026, 03:44:18 AM
Quote from: OPNenthu on Today at 03:28:29 AMAny difference if you change "Redirect Target IP" to 127.0.0.1?

No, I tried an alias I have called localhost that points to 127.0.0.1 but that doesn't change anything.
Title: Re: NTP Redirect via DNAT
Post by: meyergru on February 18, 2026, 08:05:13 AM
IPv6? When your clients use DNS names for the NTP servers, IPv6 is preferred and you need a second rule for it. Note that ::1 and LL-addresses do not work as targets for redirection, so you have to use a GUA or ULA (e.g. as virtual IP).
Title: Re: NTP Redirect via DNAT
Post by: newsense on February 18, 2026, 08:59:16 AM
>>>>
Protocol: TCP/UDP
Source: all empty
Destination invert: checked
Destination address: This Firewall
Destination port: 123
Redirect target IP: This Firewall
>>>>

You have a few errors. Here's what you need to change:

Protocol: UDP
Source: any
Destination invert: UNchecked
Destination address: any
Destination port: 123
Redirect target IP: 127.0.0.1