Redirect NTP on local interfaces to OPNSense

Started by CJ, February 20, 2021, 09:29:01 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 20, 2021, 09:29:01 PM
I want all of my machines to be synced with the NTP server on OPNSense so that my logs don't drift.  I've tried pushing NTP servers via the DHCP options but as far as I can tell no OS respects those fields.

Therefore I want to redirect all NTP calls to OPNSense.  I've tried several different port forward rules without much success.  Additionally, there doesn't seem to be a This Firewall option in the redirect selection.

Anyone have any suggestions?  Most of the examples I've found are for external access or redirecting all DNS to a pihole.  Thanks.
February 21, 2021, 12:31:41 AM #1
Hi.
You need a NAT portforward rule for every interface.
Look at the attached file.

Btw. disable NAT reflection for each rule.
March 14, 2021, 06:04:46 PM #2
Quote from: rantwolf on February 21, 2021, 12:31:41 AM
Hi.
You need a NAT portforward rule for every interface.
Look at the attached file.

Btw. disable NAT reflection for each rule.

That worked, thanks.  I did however change the destination to !This Firewall to make cloning of the rules a bit easier.  It would be nice if I could set This Firewall in the forward IP address but I have it all configured now.
May 16, 2021, 03:43:38 AM #3
Not sure why, but I can't get this to work.  DNS redirect works fine, but NTP goes right past my NAT port forward.  Any ideas on how I might troubleshoot this?  Attached are my NAT and associated interface rules.  NAT reflection is disabled.



DEC850
June 01, 2021, 04:23:30 PM #4
Quote from: Fawkesguy on May 16, 2021, 03:43:38 AM
Not sure why, but I can't get this to work.  DNS redirect works fine, but NTP goes right past my NAT port forward.  Any ideas on how I might troubleshoot this?  Attached are my NAT and associated interface rules.  NAT reflection is disabled.

Try !This Firewall instead of !LAN Address.  That's the only difference I see.

And 192.168.1.1 is your OPNSense LAN IP?
June 04, 2021, 08:46:34 PM #5
I've also noticed that my previously working NTP redirect is now no longer working, though my DNS redirect is working perfectly fine.
June 09, 2021, 12:47:05 PM #6
Quote from: Spritzup on June 04, 2021, 08:46:34 PM
I've also noticed that my previously working NTP redirect is now no longer working, though my DNS redirect is working perfectly fine.

Since DNS is easily pushed via DHCP unlike NTP, I just went for DNS blocking instead of redirection.

https://www.cjross.net/dns-security-and-adblock-with-opnsense-part-1/
June 09, 2021, 04:56:58 PM #7 Last Edit: June 09, 2021, 05:01:22 PM by mircolino
The following works for me:

Code Select
Firewall: Aliases

Name          Type      Content
------------- --------- ---------
router_addr   host(s)   53,123
router_ports  ports(s)  localhost

Firewall: NAT: Port Forward

                        Source   Source  Destination   Destination   NAT IP       NAT Ports
Interface     Protocol  Address  Ports   Address       Ports
------------- --------- -------- ------- ------------- ------------- ------------ ------------
LAN           TCP/UDP   *        *       !LAN Address  router_ports  router_addr  router_ports

It goes without saying that LAN clients need access to "LAN Address" (the LAN gateway).
November 24, 2021, 04:46:44 PM #8
Sorry for the necrobump..

Just moved to opnsense and ntp redirect seemed to work fine.. I just wanted to point out what I found..

Looks like you cannot make ntpd listen on loopback, so no redirecting to 127.0.0.1 (there is no ntpd listening)

On this page: Services: Network Time: General

These options control access to NTP from the WAN.

Enable Kiss-o'-death packets

All my firewall/redirection rules were correct, but now my hosts were getting KoD packets, but it was being logged as the actual server KoD'd them..

Nov 24 10:21:28 art3mis chronyd[4001]: Received KoD RATE from 62.168.65.36
Nov 24 10:23:06 art3mis chronyd[4824]: Received KoD RATE from 65.182.224.60
Nov 24 10:23:34 art3mis chronyd[4824]: Received KoD RATE from 171.66.97.126

(then I removed the KoD checkbox.. )

Nov 24 10:23:47 art3mis chronyd[4858]: chronyd version 4.1 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SIGND +ASYNCDNS +NTS +SECHASH +IPV6 -DEBUG)
Nov 24 10:23:47 art3mis chronyd[4858]: Frequency -0.046 +/- 0.635 ppm read from /var/lib/chrony/drift
Nov 24 10:23:47 art3mis chronyd[4858]: Using right/UTC timezone to obtain leap second data
Nov 24 10:23:47 art3mis systemd[1]: Started NTP client/server.
Nov 24 10:23:52 art3mis chronyd[4858]: Selected source 23.131.160.7 (2.arch.pool.ntp.org)
Nov 24 10:23:52 art3mis chronyd[4858]: System clock TAI offset set to 37 seconds


(not working, kod packets, etc.)
# chronyc tracking
Reference ID    : 00000000 ()
Stratum         : 0
Ref time (UTC)  : Thu Jan 01 00:00:00 1970
System time     : 0.000000003 seconds slow of NTP time
Last offset     : +0.000000000 seconds
RMS offset      : 0.000000000 seconds
Frequency       : 0.046 ppm slow
Residual freq   : +0.000 ppm
Skew            : 0.000 ppm
Root delay      : 1.000000000 seconds
Root dispersion : 1.000000000 seconds
Update interval : 0.0 seconds
Leap status     : Not synchronised

(working, with ntp redirection)
# chronyc tracking
Reference ID    : 1783A007 (time.nullroutenetworks.com)
Stratum         : 7
Ref time (UTC)  : Wed Nov 24 15:23:54 2021
System time     : 0.000000008 seconds slow of NTP time
Last offset     : +0.000007702 seconds
RMS offset      : 0.000007702 seconds
Frequency       : 0.042 ppm slow
Residual freq   : +0.726 ppm
Skew            : 0.777 ppm
Root delay      : 0.032589957 seconds
Root dispersion : 0.945359826 seconds
Update interval : 2.0 seconds
Leap status     : Normal

With ntpd on opensense turned off the clients do no sync.. but I do not have anyway to look at opnsense and confirm they came to my for sync..

Thanks in advance.
Print
Go Up Pages1
User actions