[SOLVED] Issues with NTP Port Forward / Redirect to OPNsense NTP Server

[h3zwe]

My DNS port forward is working great, so I've cloned and amended the rule for NTP. Firewall logs show rdr entries (so something is clearly happening), however the redirect is not working.

When I manually input my gateway IP into the client's NTP settings, everything is working.

I did read through https://forum.opnsense.org/index.php?topic=21641.0, https://forum.opnsense.org/index.php?topic=27640.msg134274#msg134274, and multiple other posts across the Internet, but none of those settings seem to work for me.

Is there a known issue with NTP port forwarding, that makes it not work the same as DNS port forwarding?

For what it's worth, my (working) DNS and (not working) NTP settings:

LAN    TCP/UDP    *    *    ! LAN net    53 (DNS)    10.9.0.1    53 (DNS)
LAN    TCP/UDP    *    *    ! LAN net    123 (NTP)    10.9.0.1    123 (NTP)


I'm hoping there's a simple setting I am not aware of, that might fix all of this :)

[Greg_E]

I'm hoping you get an answer because I need to forward my NTP requests back to my own clock or AD server. Things like RasPi always have ntp.org and my organization blocks outside NTP clocks (a security thing, or so I'm told).

[h3zwe]

I'm hoping you get an answer because I need to forward my NTP requests back to my own clock or AD server. Things like RasPi always have ntp.org and my organization blocks outside NTP clocks (a security thing, or so I'm told).

If it's a limited number of devices/NTP domains, you could rewrite the DNS query I would think? Might be easier than a more general NTP redirect.

[MagikMark]

This is how I did it:

LAN    TCP/UDP    *    *    ! FireWall    53 (DNS)    LAN Address    53 (DNS)
LAN    TCP/UDP    *    *    ! FireWall    123 (NTP)   LocalHost        123 (NTP)

[h3zwe]

Tried that just now, and no change. It's still going 'outside' past the gateway.

[zan]

Try enabling logging on the NAT rule and see if it hit the rule (rdr rule).

[h3zwe]

Try enabling logging on the NAT rule and see if it hit the rule (rdr rule).

It does, that's what I don't understand. The rdr rule is displayed in the log, but it's not actually doing anything in terms of redirecting the NTP query to (and stopping at) the gateway.

LAN --> 10.9.0.123:56575 27.124.125.250:123 udp rdr rule

[zan]

It works then, the log only shows the original destination before it gets NATed.
Check your WAN log for traffic going to that destination & port.

[h3zwe]

I may have found the error.


Up until now, my assumption was that the NTP redirect should stop at the gateway, as that is where the OPNsense NTP server is bound to.

However, using ntptrace on a host that had the OPNsense NTP server specifically set (i.e. no redirect), it goes from localhost to the gateway, to the 'Active Peer' visible under 'Services: Network Time: Status' in OPNsense.


I had thought it would stop at the OPNsense gateway and consider this the 'server', not connect to the 'Active Peer' on the Internet.

Clearly that was a misunderstanding on my part.

[zan]

Shouldn't ntpd only connecting upstreams during polling time?
I've forgotten how ntpd behaved, been using chrony for the past ten years or so.

[h3zwe]

Shouldn't ntpd only connecting upstreams during polling time?
I've forgotten how ntpd behaved, been using chrony for the past ten years or so.

I have switched to chrony, and everything is working as expected now. I can see every client in my LAN with 'chronyc clients', even the ones that were not explicitly set to do so.

Thanks for that pointer!

Would you happen to know if I still need to set a cron job for OPNsense to update its time via chrony, or if the plugin takes care of that now? I've run into the same situation as this post here https://old.reddit.com/r/OPNsenseFirewall/comments/18hcnlk/chrony_nts_wont_syncronize_the_localhost_firewall/

[zan]

Would you happen to know if I still need to set a cron job for OPNsense to update its time via chrony, or if the plugin takes care of that now? I've run into the same situation as this post here

Not needed, chronyd will manage local clock and provide service to network clients as long as it is running.
Also don't forget to remove all Time servers in Services>Network Time>General and enable client mode to prevent OPNsense from starting ntpd.

[h3zwe]

Done, thanks!