Problems setting up the rules for an NTP time server on my network

[RobLatour]

 I have built my own NTP time server and it is running on my network, and what I would like to do is ensure all NTP requests made on my network are routed to this time server only.

I have the NTP Service running on OPNsense. 
Here is how it is configured:
https://ibb.co/88cm6Td

As I originally understood the documentation here: https://docs.opnsense.org/manual/ntpd.html

OPNsense ships with a standard NTPd server, which synchronizes time with upstream servers and provides time to connected clients.

the above configuration would be all that I needed.

However, I wanted to be able to know which devices on my network are getting the time from the time server, and how often.  So, I thought I would just be able to add a rule that allowed that to happen.  But once done I was not seeing the traffic in the live logs that I expected (in fact I wasn't seeing any).

Here is the rule:
https://ibb.co/9t3ZnRJ

I then found this post, https://forum.opnsense.org/index.php?topic=27640.msg134274#msg134274 and with some tweaks for my situation (below) I did get the traffic I was expecting.

https://ibb.co/s1fDZCR

But there is a problem.

I query the time server directly (192.168.1.193) from a computer on my network everything works fine.

However, from the same computer, if I query the time using pool.ntp.org I see the redirect but I also get a time-out.

If I remove the NAT port forwarding rule, it does not time out but in that case, the traffic is not going to my time server.

If you can provide any insights they would be appreciated.

[newsense]

Adding the NTP server to DHCP should work as well.

[RobLatour]

@newsense could you please expand on that ...

[newsense]

Add your server to Services - DHCP-Interface - NTP servers section

[RobLatour]

I don't see that as an option

https://ibb.co/sswJDry

However, Network time is already a listed service (and the screen shot for its settings is in my original post).

[RobLatour]

I found Services - DHCPV4 - LAN - NTP Servers - Advanced
so I tried entering in my time servers address of 192.168.1.193
and turning off the NAT Forwarding rule - but agian I'm not seeing what I would expect in my logs.

To be clear, what i would expect is that if, for example, I have a query to pool.ntp.org that I would see traffic flowing to my time server in the logs.

[RobLatour]

Ok - so now I've disabled the NAT Forwarding rule, and I've not included my server's ip address in Services - DHCPV4 - LAN - NTP Servers - Advanced.

What I am seeing from the logs of my time server itself is that it is being hit up for a time check approximately once a minute from 192.168.1.1 the box on which OPNsense is running.

Accordingly, what I have also done is blocked all outgoing IPV4 and IPV6 NTP requests from my two interfaces (LAN and LANIOT) except for an IPV4 NTP request from 192.168.1.1.

With this, my systems continues to get the time ok when there is a request for the time from an external pool (such as pool.ntp.org) with presumably the OPNsense NTP server stepping in and satisfying them, also the NTP request to 192.168.1.1 continues to happen about once a minute (which is presumably the OPNsense NTP server making sure it has the right time).

So I'm now reasonably comfortable OPNsenes and the NTP server are doing what they are intended to. 

The only thing I lack is the ability to see via the live logs (or in another way) which devices are hitting up the OPNsense NTP server for time info.

[RobLatour]

SOLVED

On my LAN interface, I set up a rule to log all direction in IPV4 UDP/TCP port 123 requests with a label of "log all NTP requests from LAN".  Also, I set up the same rule on my LANIOT interface but with a label of "log all NTP requests from LANIOT".

Next, I set up a live rule filter, filtering on a label that contains "log all NTP requests".

With this, I now get a realtime view of all the devices on my network that are requesting an NTP time update.

All log entries show the source device requesting the update.  The log entry also shows the IP address of where it is requesting the NTP entry from.  However, the request never goes there as it is intercepted and handled by the OPNsence NTP server.

In any case, the original problem is solved and reporting is what I needed.

Hope this will be of help to others.