redirect outgoing port 123 to my own ntp LAN server

Report wireless and/or network connectivity problems in this forum.

Moderator: Moderators

Post Reply
ActionHenk
Posts: 49
Joined: Sun Jun 09, 2019 11:05 am

redirect outgoing port 123 to my own ntp LAN server

Post by ActionHenk »

Hi,

Is there a way in gargoyle to redirect outgoing WAN ntp requests on port 123 to my own ntp server in my own lan?

I have 2 new ip camera's hooked up to my NAS. But, these cam's are the first where i can't set a custom ntp server url (NAS acts also as ntp server) , i checked pi-hole and these ip cams do use ntp requests.

Anyway since i block all IOT from the wan port in gargoyle, their OSD time and date are useless.

I could change the firewall rules in gargoyle from "block all network access" to "block everything except outgoing port 123" and then the camera's their time is synced. But i rather keep the "block all network access" option.

So is there a way? Maybe in dnsmasq? Or a plugin? I'm running gargoyle 1.14 on my main router (r7800)

If it is possible, is there also a option to only redirect ntp requests from specific ip's?

Thanks

Lantis
Moderator
Posts: 7009
Joined: Mon Jan 05, 2015 5:33 am
Location: Australia

Re: redirect outgoing port 123 to my own ntp LAN server

Post by Lantis »

There is no GUI method to achieve this.
Add the following to your /etc/config/firewall

Code: Select all

config redirect 'ntp_123'
        option src 'lan'
        option proto 'tcp udp'
        option src_dport '123'
        option dest_port '123'
        option dest 'lan'
        option dest_ip 'your local NTP server IP here'
        option target 'DNAT'
https://lantisproject.com/downloads/gargoylebuilds for the latest releases
Please be respectful when posting. I do this in my free time on a volunteer basis.

ActionHenk
Posts: 49
Joined: Sun Jun 09, 2019 11:05 am

Re: redirect outgoing port 123 to my own ntp LAN server

Post by ActionHenk »

Thank you so much, yes this works. Got correct time now on both my new cams :) :)

But i guess this redirects all outgoing ntp requests to my nas right?

Is there a way to only redirect specific ip's?

If i read thruw the lines, there is the "option dest_ip" for my nas ntp server.

Can i also do this with option src? like "option src_ip" and then add multiple source ip's?

like this?

Code: Select all

config redirect 'ntp_123'
        option src 'lan'
        option src_ip '192.168.1.1'
        option src_ip '192.168.1.2'
        option proto 'tcp udp'
        option src_dport '123'
        option dest_port '123'
        option dest 'lan'
        option dest_ip '192.168.1.100'
        option target 'DNAT'
Thanks!

Lantis
Moderator
Posts: 7009
Joined: Mon Jan 05, 2015 5:33 am
Location: Australia

Re: redirect outgoing port 123 to my own ntp LAN server

Post by Lantis »

Yes, but it doesn’t support multiple IPs (except in CIDR notation).
Just specify 1 IP, and create a second rule with the other IP specified.

Bit ugly but that’s what we’ve got :)
https://lantisproject.com/downloads/gargoylebuilds for the latest releases
Please be respectful when posting. I do this in my free time on a volunteer basis.

ActionHenk
Posts: 49
Joined: Sun Jun 09, 2019 11:05 am

Re: redirect outgoing port 123 to my own ntp LAN server

Post by ActionHenk »

I think i have created myself a little problem here,

Since i broadcast pi-hole as the only dns server on my lan which i configured in /etc/dnsmasq.conf > dhcp-option=6,"pi-hole ip adress"

All dns (ntp) requests on my lan are ofcourse handled by pi-hole. So since the router doesn't get or handle any dns requests, it ofcourse doesn't redirect any ntp requests to my nas right?

But then how did the camera's get their time synchronized when i rebooted the router after i editted /etc/config/firewall with your code?

Could it be that somehow when the r7800 boots, it runs for a few seconds without a firewall? Because only right after a router reboot the cams are getting their time immediately synchronized, so they must get through the firewall. I can repeat this also with the original /etc/config/firewall "without ntp to nas redirects" and the outcome is always the same. The camera's sync, but only right after the router reboot. If i reboot the cams on a running router, their time never get synchronized.

I guess i have to somehow let pi-hole redirect the ntp port 123 requests from my camera's to my NAS.

Well so far i have learned new things!

Lantis
Moderator
Posts: 7009
Joined: Mon Jan 05, 2015 5:33 am
Location: Australia

Re: redirect outgoing port 123 to my own ntp LAN server

Post by Lantis »

Pihole should have no impact.

Camera wants to make time update
Asks pihole for IP address of the NTP server it wants to use
Pihole responds
Camera attempts connection to IP via Router
Router enforces redirect rule and pushes the connection to your NAS.

Why it doesn’t work when rebooting cams is interesting. It is potentially due to the order of firewall rules. The block might be enforced before the redirect. Just guessing without seeing the whole iptables chains.
You could counter this by specifically allowing 123 for those devices, and then the redirect should take hold after that.
https://lantisproject.com/downloads/gargoylebuilds for the latest releases
Please be respectful when posting. I do this in my free time on a volunteer basis.

pythonic
Posts: 256
Joined: Mon Mar 11, 2019 5:47 am
Location: Australia

Re: redirect outgoing port 123 to my own ntp LAN server

Post by pythonic »

If the cameras are using pihole for DNS to whatever NTP server they want to use, couldn't pihole be used to redirect those requests to your internal NTP server rather than the firewall level redirection?

ActionHenk
Posts: 49
Joined: Sun Jun 09, 2019 11:05 am

Re: redirect outgoing port 123 to my own ntp LAN server

Post by ActionHenk »

Well i tried for hours, and i can't get it to work,

this is the latest entry i did

Code: Select all

config redirect 'ntp_123'
        option src 'lan'
        option proto 'tcp'
        option src_dport '123'
        option dest_port '123'
        option dest 'lan'
        option dest_ip 'ip-nas'
        option target 'DNAT'

config redirect 'ntp_123'
        option src 'lan'
        option proto 'udp'
        option src_dport '123'
        option dest_port '123'
        option dest 'lan'
        option dest_ip 'ip-nas'
        option target 'DNAT'
And after a reboot it stays the same, no time sync.

Anyway, with all those ntp entry's in the /etc/config/firewall, i noticed something: When i go into the routers web interface, and when i save from within the "firewall" page, the entry's in the /etc/config/firewall are converterd to Individual Port Forwarding rules, and thus the "option src" is changed to wan. Also then they show up in the individual port forwardings list in the webinterface as normal port forwardings from wan to lan.

For now i reverted back to the old situation, so no time on the camera's.

thanks

ActionHenk
Posts: 49
Joined: Sun Jun 09, 2019 11:05 am

Re: redirect outgoing port 123 to my own ntp LAN server

Post by ActionHenk »

pythonic wrote:
Sun Dec 08, 2024 1:57 am
If the cameras are using pihole for DNS to whatever NTP server they want to use, couldn't pihole be used to redirect those requests to your internal NTP server rather than the firewall level redirection?
I was looking into this, but, the camera's use a whole list of ntp servers. Some windows servers too, so if i do that, i have to redirect a lot of url's. Besides that, i don't really know how i config pi-hole to do that. I've seen topics on google where users do it, but i can't figure out how.

If it is possible i rather use the router and only redirect the camera ip adresses that need it,

thanks!

ActionHenk
Posts: 49
Joined: Sun Jun 09, 2019 11:05 am

Re: redirect outgoing port 123 to my own ntp LAN server

Post by ActionHenk »

Ok, i've got 1 cam it's time syncronized to my nas.

I forced time sync in surveillance station with the onvif protocol. I tried that before, but it didn't work because the ntp server is open on NAS utp port 1 (that's the ip adress i use for ntp in my local lan), and blocked on NAS utp port 2 :D

So since i setup surveillance station to use the NAS it's utp port 2, it also forced the ntp sync on port 2 which had another ip adres where the ntp server was blocked in the firewall. Anyway i now also opened port 123 on utp port 2, so i'm good with that cam without redirecting.

Now for the other cam which is a slightly other model, unfortunately it can't be forced to use surveillance station it's ntp server. Let's hope for a firmware upgrade where it does just that, then i don't need redirecting at all.

Post Reply