Chrony / NTS port question

Started by Hedgehog, April 19, 2025, 02:54:09 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 19, 2025, 02:54:09 PM Last Edit: April 19, 2025, 03:05:10 PM by Hedgehog
Hi,

I hope someone can help.

Using OPNsense 25.4, I setup chrony and firewall NAT port forwards for port 123. (And the default network time service is off and no time servers are listed)

I used this list for nts servers

https://github.com/jauderho/nts-servers

Chrony listen port: 123
Nts client support: enabled
NTP peers: ntp2.glypnod.com time.cloudflare.com ntppool.time.nl ptbtime.ptb.de paris.time.system76.com

Then I watched the logs to see if it was all set right.

And I can see lots of UDP 123 pass rules to the time servers.

But I have seen a couple of pass rules on the wan interface for tcp port 4460 to (let out anything from firewall host itself (force gw))-

162.159.200.1 (time.cloudflare.com)
178.62.68.79 (ntp2.glypnod.com)
162.159.200.123 (time.cloudflare.com)
15.237.97.214 (paris.time.system76.com)

And more pass rule on TCP port 8123 to (same rule) -
178.62.68.79 (ntp2.glypnod.com)

And 1 blocked inbound on TCP port 8123 from -
65.49.1.220 (scan-77-08.shadowserver.org)


I was expecting to only see port 123 mentions in the logs and I've not seen anyone mention other ports being used in the chrony posts.

I've disconnected from the internet for now. Is this normal behaviour on chrony?
Or have I set something wrong?
I can't see ports 8123 or 4460 being allowed anywhere in my rules and its just a bare network for now (there's no clients connected to my subnets) just my admin PC which is only allowed GUI access.


Thanks in advance
April 19, 2025, 03:33:07 PM #1
I think I might be worrying about nothing.

This article and some comments in it mention port 4460 for some of the time servers I selected

https://weberblog.net/setting-up-nts-secured-ntp-with-ntpsec/

So I think this is normal.

Seeing these other ports being allowed took me off guard. I could not see these port numbers mentioned anywhere in the chrony tabs and was OMG!!! Something is wrong.

Noob moment over :-)
April 19, 2025, 10:21:14 PM #2
Chrony and NTPsec are different beasts, and we only have Chrony in OPNsense


Simply having the port forward from (v)lans to the FW port 123 where Chrony runs is not sufficient.


Chrony needs to be told for which networks it is supposed to answer NTP queries - else it won't answer anything by default.

The GUI will only give you the information on how chrony is doing with regards to syncing the time from (NTS) servers.


You can check which machines talk to chrony and sync their time from it using this command:

Code Select
chronyc clients -v

April 22, 2025, 09:56:30 PM #3
Thanks very much for the command.
It confirms my clients are set correctly.

I can see a raspberry pi get the correct time (which is also behind a peplink router, which is then connected to the opnsense router) so client side and through another router is working. Woohoo.

I was wondering more about the outbound ports from the opnsense / chrony out through the WAN to the time servers.
I wasn't expecting to see anything other than port 123, but I definitely see a few outbound to 178.62.68.79:8123
And when I do an IP lookup, this IP resolves to ntp2.glypnod.com which is one of the time servers I specified in chrony.

The use of port 8123 caught me by surprise a bit
Print
Go Up Pages1
User actions