[SOLVED] NTP Redirect via DNAT

[ddam191]

I'm trying to set up NTP redirects across my network using DNAT, but am running into issues where clients are still reaching outside NTP pools and bypassing my NAT rule.

I have the following set up under Destination NAT:

Interface: VLAN_2212, VLAN_2224, VLAN_2248, VLAN_2296 (i.e. all VLAN interfaces within my network)
Version: IPv4
Protocol: TCP/UDP
Source: all empty
Destination invert: checked
Destination address: This Firewall
Destination port: 123
Redirect target IP: This Firewall
Redirect port: 123
Firewall rule: Pass

I cloned this rule from a DNS redirect that seems to be working, so hopefully someone can tell me what I'm missing.

[OPNenthu]

Any difference if you change "Redirect Target IP" to 127.0.0.1?

[ddam191]

Any difference if you change "Redirect Target IP" to 127.0.0.1?

No, I tried an alias I have called localhost that points to 127.0.0.1 but that doesn't change anything.

[meyergru]

IPv6? When your clients use DNS names for the NTP servers, IPv6 is preferred and you need a second rule for it. Note that ::1 and LL-addresses do not work as targets for redirection, so you have to use a GUA or ULA (e.g. as virtual IP).

[newsense]

>>>>
Protocol: TCP/UDP
Source: all empty
Destination invert: checked
Destination address: This Firewall
Destination port: 123
Redirect target IP: This Firewall
>>>>

You have a few errors. Here's what you need to change:

Protocol: UDP
Source: any
Destination invert: UNchecked
Destination address: any
Destination port: 123
Redirect target IP: 127.0.0.1

[bamf]

I use the following NAT rule for this:

Interface: LAN
Version: IPv4
Protocol: UDP
Destination Address: !LAN net
Destination Port: 123
Redirect Target IP: 192.168.100.1
Redirect Target Port: 123

Working fine so far. But I haven't been able to achieve this for IPv6. So I blocked IPv6 NTP completely:

Action: Reject
Interface: LAN
Direction: In
TCP/IP Version: IPv6
Protocol: UDP
Source: Any
Destination: !LAN net
Destination port range: 123-123

[meyergru]

These are my rules:

You cannot view this attachment.

You cannot view this attachment.

As I said, fdfd::1 ist a virtual ULA IPv6 that can be assigned to any LAN interface.

[ddam191]

Thanks for the suggestions. I realized that after modifying my DNAT rule that I needed to run a packet capture on the WAN interface, not the internal interfaces, to confirm that the rule was working, which it now is. The rule is truly transparent since each device thinks it's contacting its configured NTP server, but OPNsense is intercepting and redirecting the traffic.

Solved.

[LisaMT]

I use this same thing for re-routing DNS, but the DNAT rule seems to ignore the interfaces selected:  I had LAN only on the DNAT, and the rule still acts on the CAMERA interface.  Hope that gets fixed soon.

I use the following NAT rule for this:

Interface: LAN
Version: IPv4
Protocol: UDP
Destination Address: !LAN net
Destination Port: 123
Redirect Target IP: 192.168.100.1
Redirect Target Port: 123

[meyergru]

I would doubt that - unless you mix tagged and untagged traffic on the same physical interface and the rule somehow applies to you camera VLAN as well. You can look at /tmp/rules.debug to convince yourself of what gets thrown at pf.

P.S.: If you did the same as here, namely to redirect to "This Firewall": try 127.0.0.1 instead. Details matter.