Can OPNsense Handle All NTP Requests with Forced Redirect?

Started by MrHappyHippo, October 17, 2025, 06:51:04 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 17, 2025, 06:51:04 PM Last Edit: October 17, 2025, 06:57:33 PM by MrHappyHippo
Hi everyone,

I'm trying to set up my network in a way that forces all NTP (Network Time Protocol) traffic to go through my OPNsense firewall so it can handle time synchronization via Chrony. Here's what I have so far:

I have Chrony installed and running on my OPNsense firewall.

Some of my devices on the network use Chrony as their NTP client with NTS.

I want to redirect all outgoing NTP requests from these devices to OPNsense, essentially forcing them to sync time through OPNsense.

I'm considering using NAT redirection and firewall rules similar to how DNS requests are handled, but I'm not sure if NTP traffic can be redirected in the same way.

Specifically, I have a few questions:

1. Is it possible to redirect NTP traffic (UDP port 123) to OPNsense using firewall rules and NAT?

2. Can OPNsense act as the sole time server for all devices in my network, and how would I set that up?

3. Since some of my devices use Chrony with NTS, will OPNsense be able to handle these requests, or do I need additional configuration?

Ideally, I'd like to accomplish this with something similar to the way DNS redirection works using firewall rules and NAT redirection to force all NTP traffic to go through OPNsense.
October 17, 2025, 07:39:03 PM #1
Quote from: MrHappyHippo on October 17, 2025, 06:51:04 PM1. Is it possible to redirect NTP traffic (UDP port 123) to OPNsense using firewall rules and NAT?
Yes. I do this as well.

Quote from: MrHappyHippo on October 17, 2025, 06:51:04 PM2. Can OPNsense act as the sole time server for all devices in my network, and how would I set that up?
Just redirect requests to localhost with an associated filter rule.

Quote from: MrHappyHippo on October 17, 2025, 06:51:04 PM3. Since some of my devices use Chrony with NTS, will OPNsense be able to handle these requests
Devices which use NTS might request a certain server, which they are expecting to get an SSL certificate from. OPNsense doesn't have a valid cert for the request, so the clients drop the connection.

But anyway you should configure the devices to request OPNsense if possible. If they are requesting an NTP pool, each request goes to OPNsense, while the client thinks, it is requesting different server, which leads in a request flood from the same IP. OPNsense will send a KoD packet then.

I'd assume, that the clients fall back to NTP if no NTS server is reachable, but don't know. So maybe this happens if you block NTS entirely on OPNsense. But redirecting the request will not work.
October 17, 2025, 11:34:00 PM #2 Last Edit: October 19, 2025, 03:53:24 PM by MrHappyHippo
Nope its not working with a redirect rule.

Opnsense is using chrony plugin


My client which is running Ubuntu 25.10 is using by default Chrony with NTS.

If the 123/UDP redirect rule is active and my LAN client uses Chrony with NTS (Network Time Security), it won't work.

If the 123/UDP redirect rule is active and my LAN client uses Chrony without NTS, it works.

If the 123/UDP redirect rule is inactive and my LAN client uses Chrony with NTS, it works.


my setup

internet -> modem -> opnsense firewall -> router -> network devices



Output of my LAN client with Chrony and NTS and active 123/UDP redirect rule:
Code Select
ubuntu@ubuntu:~$ sudo chronyc tracking
Reference ID    : 00000000 ()
Stratum         : 0
Ref time (UTC)  : Thu Jan 01 00:00:00 1970
System time     : 0.000000001 seconds fast of NTP time
Last offset     : +0.000000000 seconds
RMS offset      : 0.000000000 seconds
Frequency       : 2.169 ppm fast
Residual freq   : +0.000 ppm
Skew            : 0.000 ppm
Root delay      : 1.000000000 seconds
Root dispersion : 1.000000000 seconds
Update interval : 0.0 seconds
Leap status     : Not synchronised
ubuntu@ubuntu:~$ sudo systemctl status chronyd
● chrony.service - chrony, an NTP client/server
     Loaded: loaded (/usr/lib/systemd/system/chrony.service; enabled; preset: enabled)
     Active: active (running) since Sun 2025-10-19 14:10:23 CEST; 18min ago
 Invocation: 8fc8127e9e5749de904bac3d8035352c
       Docs: man:chronyd(8)
             man:chronyc(1)
             man:chrony.conf(5)
   Main PID: 9258 (chronyd-starter)
      Tasks: 3 (limit: 75408)
     Memory: 6.1M (peak: 7.3M)
        CPU: 221ms
     CGroup: /system.slice/chrony.service
             ├─9258 /bin/sh /usr/lib/systemd/scripts/chronyd-starter.sh -n -F 1
             ├─9270 /usr/sbin/chronyd -n -F 1
             └─9271 /usr/sbin/chronyd -n -F 1

Oct 19 14:10:23 ubuntu chronyd[9270]: Frequency 2.169 +/- 1.737 ppm read from /var/lib/chrony/chrony.drift
Oct 19 14:10:23 ubuntu chronyd[9270]: Loaded seccomp filter (level 1)
Oct 19 14:10:23 ubuntu chronyd[9270]: Added pool 1.ntp.ubuntu.com
Oct 19 14:10:23 ubuntu chronyd[9270]: Added source 192.168.178.1
Oct 19 14:10:23 ubuntu systemd[1]: Started chrony.service - chrony, an NTP client/server.
Oct 19 14:10:23 ubuntu chronyd[9270]: Added pool 2.ntp.ubuntu.com
Oct 19 14:10:23 ubuntu chronyd[9270]: Added pool 3.ntp.ubuntu.com
Oct 19 14:10:23 ubuntu chronyd[9270]: Added pool 4.ntp.ubuntu.com
Oct 19 14:10:23 ubuntu chronyd[9270]: Added pool ntp-bootstrap.ubuntu.com
Oct 19 14:10:39 ubuntu chronyd[9270]: Can't synchronise: no selectable sources (11 unreachable sources)
Print
Go Up Pages1
User actions