Messages

Thanks for the suggestions. I realized that after modifying my DNAT rule that I needed to run a packet capture on the WAN interface, not the internal interfaces, to confirm that the rule was working, which it now is. The rule is truly transparent since each device thinks it's contacting its configured NTP server, but OPNsense is intercepting and redirecting the traffic.

Solved.

Any difference if you change "Redirect Target IP" to 127.0.0.1?

No, I tried an alias I have called localhost that points to 127.0.0.1 but that doesn't change anything.

I'm trying to set up NTP redirects across my network using DNAT, but am running into issues where clients are still reaching outside NTP pools and bypassing my NAT rule.

I have the following set up under Destination NAT:

Interface: VLAN_2212, VLAN_2224, VLAN_2248, VLAN_2296 (i.e. all VLAN interfaces within my network)
Version: IPv4
Protocol: TCP/UDP
Source: all empty
Destination invert: checked
Destination address: This Firewall
Destination port: 123
Redirect target IP: This Firewall
Redirect port: 123
Firewall rule: Pass

I cloned this rule from a DNS redirect that seems to be working, so hopefully someone can tell me what I'm missing.