NTP Redirect via DNAT

Started by ddam191, Today at 03:12:01 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
Today at 03:12:01 AM Last Edit: Today at 03:45:16 AM by ddam191
I'm trying to set up NTP redirects across my network using DNAT, but am running into issues where clients are still reaching outside NTP pools and bypassing my NAT rule.

I have the following set up under Destination NAT:

Interface: VLAN_2212, VLAN_2224, VLAN_2248, VLAN_2296 (i.e. all VLAN interfaces within my network)
Version: IPv4
Protocol: TCP/UDP
Source: all empty
Destination invert: checked
Destination address: This Firewall
Destination port: 123
Redirect target IP: This Firewall
Redirect port: 123
Firewall rule: Pass

I cloned this rule from a DNS redirect that seems to be working, so hopefully someone can tell me what I'm missing.
Today at 03:28:29 AM #1
Any difference if you change "Redirect Target IP" to 127.0.0.1?
N5105/8GB/4xi226-V (local)
J4125/8GB/4xi210 (remote)
26.1 Community
Today at 03:44:18 AM #2
Quote from: OPNenthu on Today at 03:28:29 AMAny difference if you change "Redirect Target IP" to 127.0.0.1?

No, I tried an alias I have called localhost that points to 127.0.0.1 but that doesn't change anything.
Today at 08:05:13 AM #3
IPv6? When your clients use DNS names for the NTP servers, IPv6 is preferred and you need a second rule for it. Note that ::1 and LL-addresses do not work as targets for redirection, so you have to use a GUA or ULA (e.g. as virtual IP).
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
Today at 08:59:16 AM #4
>>>>
Protocol: TCP/UDP
Source: all empty
Destination invert: checked
Destination address: This Firewall
Destination port: 123
Redirect target IP: This Firewall
>>>>

You have a few errors. Here's what you need to change:

Protocol: UDP
Source: any
Destination invert: UNchecked
Destination address: any
Destination port: 123
Redirect target IP: 127.0.0.1
Today at 10:51:31 AM #5 Last Edit: Today at 10:53:13 AM by bamf
I use the following NAT rule for this:

Interface: LAN
Version: IPv4
Protocol: UDP
Destination Address: !LAN net
Destination Port: 123
Redirect Target IP: 192.168.100.1
Redirect Target Port: 123

Working fine so far. But I haven't been able to achieve this for IPv6. So I blocked IPv6 NTP completely:

Action: Reject
Interface: LAN
Direction: In
TCP/IP Version: IPv6
Protocol: UDP
Source: Any
Destination: !LAN net
Destination port range: 123-123
Today at 11:02:02 AM #6 Last Edit: Today at 11:03:47 AM by meyergru
These are my rules:

You cannot view this attachment.

You cannot view this attachment.

As I said, fdfd::1 ist a virtual ULA IPv6 that can be assigned to any LAN interface.
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
Print
Go Up Pages1
User actions