Redirect NTP to OpenWRT

Dantes · January 11, 2025, 12:59pm

Hi,

I've seen multiple topics on this board on redirecting NTP, some say it won't work, others say use modify redirect-DNS. So I did and started testing, but the queries seem to go out on the internet instead of being redirected to OpenWRT.

Obviously I'm doing something wrong or missing something.

/etc/config/system

config timeserver 'ntp'
	option enable_server '1'
	option interface 'lan'
	list server 'time.cloudflare.com'

/etc/config/firewall

config redirect
	option target 'DNAT'
	option name 'Intercept-NTP'
	option src 'lan'
	option family 'any'
	option src_dport '123'
	list proto 'udp'

comio · January 11, 2025, 1:49pm

Try to change to destination port to 123 instead source port.

Dantes · January 11, 2025, 2:37pm

Now I'm not that familiar with networking in general, but afaict it seems to be working just fine, however the "Status -> Real Time Graph -> Connections Tab" does not show this redirection.

Using TCPdump:

# tcpdump -i any -n udp port 123
...
14:36:08.767773 eth1  In  IP 192.168.1.2.44266 > 51.145.123.29.123: NTPv4, Client, length 48
14:36:08.767773 br-lan In  IP 192.168.1.2.44266 > 51.145.123.29.123: NTPv4, Client, length 48
14:36:08.767942 br-lan Out IP 51.145.123.29.123 > 192.168.1.2.44266: NTPv4, Server, length 48
14:36:08.767948 eth1  Out IP 51.145.123.29.123 > 192.168.1.2.44266: NTPv4, Server, length 48

screenshot

brada4 · January 11, 2025, 5:06pm

Try installing conntrack tool and following conntrack -E -p udp
Also there in nft list ruleset should be a redirect rule:

chain dstnat {
        type nat hook prerouting priority dstnat; policy accept;
        iifname br-lan udp dport 123 counter redirect to :123
}

Livy · January 11, 2025, 5:19pm

It does work, even with YouTube as destination server, lol.

$ ntpdate -q www.youtube.com
server 142.250.71.142, stratum 3, offset -0.757366, delay 0.02945
server 142.250.71.174, stratum 3, offset -0.757414, delay 0.02931
server 142.250.197.206, stratum 3, offset -0.757487, delay 0.02916
server 142.250.197.238, stratum 3, offset -0.757498, delay 0.02917
server 142.250.198.46, stratum 3, offset -0.757384, delay 0.02939
server 142.250.71.206, stratum 3, offset -0.757519, delay 0.02901
server 142.250.71.238, stratum 3, offset -0.757403, delay 0.02922
server 142.250.198.110, stratum 3, offset -0.757562, delay 0.02888
server 142.250.66.46, stratum 3, offset -0.757313, delay 0.02940
server 142.250.198.238, stratum 3, offset -0.756228, delay 0.03172
server 142.250.199.78, stratum 3, offset -0.757237, delay 0.02962
server 142.250.198.142, stratum 3, offset -0.756786, delay 0.03053
server 142.250.198.174, stratum 3, offset -0.756651, delay 0.03090
server 142.250.198.206, stratum 3, offset -0.757311, delay 0.02957
server 142.250.199.206, stratum 3, offset -0.757458, delay 0.02945
server 142.250.199.238, stratum 3, offset -0.757541, delay 0.02922
12 Jan 00:18:54 ntpdate[280]: step time server 142.250.197.206 offset -0.757487 sec

By the way, does anyone know how to make it work with all zones instead of creating multiple rules for each zone?

option src 'lan'

Do not try option src '*' -- it does not work.

brada4 · January 11, 2025, 5:25pm

Precisely, you need one rule per source X destination zone pair. Alternative is to write own custom rule. Do you need help with that?

Livy · January 11, 2025, 5:30pm

My firewall configurations have a total of 11 zones. I want to redirect all but wan zone. One rule per source zone is not very manageable. Can you give example how to do that using custom (nftables) rules?

brada4 · January 11, 2025, 6:33pm

I have this in /etc/nftables.d/

chain dstnat {
        type nat hook prerouting priority dstnat; policy accept;
        iif $guest_devices meta l4proto {tcp,udp} ct original proto-dst 53 counter redirect to :53
}

Which gets prepended to ruleset.

Dantes · January 17, 2025, 10:30am

Just so I understand, if I install conntrack, the redirects will show up proper under Connections Tab ? (because that is where the confusion came from. It works under the hood, but under Connections tab they still show as outgoing instead of being redirected to router)

_bernd · January 17, 2025, 10:35am

If I understood you correctly then yes.
Conntrack is a util from nftables to show current connection states.
Conntrackd, the daemon, can be used to sync states between firewall to build HA firewall setups/cluster, but this is usually not found at home setups however.

Dantes · January 17, 2025, 11:23am

Well I tested it, and nothing changed under connection tab
Checked ruleset for dstnat, it seems different:

	chain dstnat {
		type nat hook prerouting priority dstnat; policy accept;
		iifname "br-lan" jump dstnat_lan comment "!fw4: Handle lan IPv4/IPv6 dstnat traffic"
	}
	chain dstnat_lan {
		meta nfproto ipv4 udp dport 123 counter packets 6 bytes 456 redirect to :123 comment "!fw4: Redirect NTP"
	}

_bernd · January 17, 2025, 11:41am

What happens if you use conntrack -L on the shell?