OPNsense Forum
English Forums => General Discussion => Topic started by: comet on November 27, 2017, 08:03:55 pm
-
I saw a discussion in another forum (completely unrelated to networking) about how someone forced all the devices on his network to use the time server on his router, even if they were trying to go to some other address, using something called DNAT. He posted this image as an example. This is obviously not from OPNsense:
(https://community.sophos.com/resized-image/__size/320x240/__key/communityserver-discussions-components-files/51/Dest_2D00_Nat_2D00_Rule_2D00_Redirect_2D00_NTP.png)
I am probably going to be sorry I asked, given the complexity of the responses I have received in previous threads, but I just wonder if there is any EASY way to do this in pfSense. As best I can tell, they are intercepting any outgoing traffic to the NTP services (probably to UDP port 123) from any system on the LAN and redirecting it to the router's internal NTP server. I just don't understand this DNAT thing.
This is not a high priority item for me, it just falls into the category of "would probably be a good thing to do if not too difficult", so if it involves a lot of effort or can't be explained simply, then never mind and thanks for reading.
EDIT: If I were taking a complete wild guess at what to do, this is how I would do it, but I have a feeling this isn't right:
(http://i65.tinypic.com/20qo1hh.png)
The reasons I think it may not be right is because under Interface I am choosing LAN, but the hint says "in most cases, you'll want to use WAN here." But WAN doesn't seem right either.
And also under Source port range I specified NTP as both the from and to port range, but the hint says "When using the TCP or UDP protocols, specify the source port or port range for this rule. This is usually random and almost never equal to the destination port range (and should usually be 'any')." But in this case, "any" didn't seem like the right choice either, since I am only wanting to intercept NTP traffic.
And beyond that, just the fact that I feel like I really don't know what I am doing!
-
The only 3 things you have to modify on your rule to accomplish NAT force redirect to self for NTP is:
1. Destination/ Invert: Checked
2. Destination: LAN Network
3. NAT Reflection: Disabled
Cheers
[Later Edit] No source port
-
Got it, thanks.
-
Hi,
I´m interested in doing so.
I have a VLAN for cameras, wich are not allowed to connect to internet. But they display a timecode in picture.
Now I want to redirect ntp-requests to OPNsense ntp-server.
What should I do?
I set Firewall->NAT-Portforward
Interface-> VLAN-Interface
Protocol->UDP
Source->nothing to do
Destination->any
Destination port range-> NTP
Redirect target IP->127.0.0.1
Redirect target Port->NTP
I I thought that should work. But It did not the job.
@hutiucip:
I don´t understand:
a) why there should Source set, because it could be any
b) why Destination invert
c) why Destination LAN? Should this not the ntp-Server, so OPNSense?
Greets
Byte
-
@hutiucip:
I don´t understand:
a) why there should Source set, because it could be any
b) why Destination invert
c) why Destination LAN? Should this not the ntp-Server, so OPNSense?
Hi!
a) Yes, you are correct, the "later edit" thing was for comet (OP); just to over-emphasize this.
b) & c) (both go together) if the NTP request is already made to a device belonging to internal subnet (the router for this particular case, on the interface in the same subnet as the client) you don't want to enforce the NAT rule on that packet, to alter the packet so that its header will be processed AND modified redundently with the same destination, the destination the packet already had when reaching the router. So c) "destination" == internal && b) "destination invert" == not internal negates c) => only packets that seeks an NTP server OUTSIDE the "internal" will be NATed.
Cheers!
-
Thanks for that answer.
So I've misunderstood "invert destination" so far.
It only applies to the address and not to the port?
Up until now I thought that invert destination means all traffic, that do NOT correspond to the given address/network AND the given port.
Greets
Byte
PS: And whats about ipv6, there is no NAT possible to force ntp to local service, right?
-
Correct. Yet, even if you don't have the port (123 particularly) explicitly set at the destination, the rule evaluates it because the set service (NTP) uses it -> the rule will only apply to traffic with that particular destination including both IP and port.
It's like having the port evaluated from the application layer, not transport/ protocol layer.