I have a few VLANs and would like to use OpenWRT as the NTP server, I found the wiki that lets you enable it by commandline but can we do it from luci?
Under System > Time Sync tab > Provide NTP server > enable is enough for all interfaces or would I need to setup firewall rules for the VLANs?
Did you block NTP or other input traffic in these firewall zones?
If not, then enabling NTP Server is OK.
Yes, enabling the NTP server as you described will be enough in general, but there are two other things that need to be considered:
Yes, some of the VLANs are set to reject by default and only accept DHCP and DNS, so makes sense I'd need to allow NTP. Confirms my thinking.
What would be the reason I would want to allow NTP server via DHCP?
The firewall (not DHCP) controls the 'allow' part of the equation.
If you advertise the NTP server via DHCP, your client devices will be aware of (and hopefully choose to use) your router as their NTP server. If you do not advertise it, the clients won't be aware unless you manually set the NTP server in the respective configurations (I.e. on the clients/hosts themselves in their time settings).
I'm manually setting it on the devices I care about, so will not use option 42 for now.
Doubt there are many devices in reality that will care about a “DHCP option 42”.
All network equipment even with the smallest level of self respect (routers, switches, ap, etc) always has the NTP servers either preset to call home or they are set manually.
And the rest of clients on a network seems to call home without choice where ever in the world that ntp server is.
I've found one can redirect 123/udp in the same manner as DNS Hijacking.
That is also on my to do list, to redirect all ntp hardcoded request back to openwrt.
No idea how to do it in LuCI, but it's trivial just editing the config.
config redirect
option name 'ntp-intercept'
option family 'any'
option proto 'udp'
option src 'lan'
option src_dport '123'
https://forum.openwrt.org/t/forward-internal-ntp-requests-to-router/192317
Search, read, learn and do…
So, I've enabled the NTP server and allowed UDP port 123 from my VLAN to the router but it still does not work. I have one rule for DHCP and DNS, modified it to allow NTP.
What am I doing wrong?
Created another rule and its still not working
Remove the source port.
No luck on that
Let's review the config in more detail:
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/system
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall
Are you doing a firewall rule or redirect since redirect doesn’t have source and destination ports but rules have those choices?
Usually use a port forward of traffic coming from the LAN. For example on my current router:
Then on the firewall status page under Rule container chain "dstnat_lan" I can see:
I use luci and this is what it put in /etc/config/firewall:
config redirect
option target 'DNAT'
option name 'Intercept-NTP'
list proto 'udp'
option src 'lan'
option src_dport '123'
option dest_ip '192.168.1.1'
option dest_port '123'
Notes:
Set the destination zone as input (this device). And note that you're only intercepting NTP traffic that is originating from the lan.
Keep in mind that the NTP hijacking is a different thing than having a running server. The former will only work properly if the server is up, so work on verifying that the server works from the desired network(s) when you actively set it as the NTP server on a device that will honor that configuration.
The firewall rule was correct, and it is working. I was just rebooting the client to force the clock to reset but didn't wait long enough for the sync to occur.