redirect outgoing port 123 to my own ntp LAN server
Moderator: Moderators
-
- Posts: 49
- Joined: Sun Jun 09, 2019 11:05 am
redirect outgoing port 123 to my own ntp LAN server
Hi,
Is there a way in gargoyle to redirect outgoing WAN ntp requests on port 123 to my own ntp server in my own lan?
I have 2 new ip camera's hooked up to my NAS. But, these cam's are the first where i can't set a custom ntp server url (NAS acts also as ntp server) , i checked pi-hole and these ip cams do use ntp requests.
Anyway since i block all IOT from the wan port in gargoyle, their OSD time and date are useless.
I could change the firewall rules in gargoyle from "block all network access" to "block everything except outgoing port 123" and then the camera's their time is synced. But i rather keep the "block all network access" option.
So is there a way? Maybe in dnsmasq? Or a plugin? I'm running gargoyle 1.14 on my main router (r7800)
If it is possible, is there also a option to only redirect ntp requests from specific ip's?
Thanks
Is there a way in gargoyle to redirect outgoing WAN ntp requests on port 123 to my own ntp server in my own lan?
I have 2 new ip camera's hooked up to my NAS. But, these cam's are the first where i can't set a custom ntp server url (NAS acts also as ntp server) , i checked pi-hole and these ip cams do use ntp requests.
Anyway since i block all IOT from the wan port in gargoyle, their OSD time and date are useless.
I could change the firewall rules in gargoyle from "block all network access" to "block everything except outgoing port 123" and then the camera's their time is synced. But i rather keep the "block all network access" option.
So is there a way? Maybe in dnsmasq? Or a plugin? I'm running gargoyle 1.14 on my main router (r7800)
If it is possible, is there also a option to only redirect ntp requests from specific ip's?
Thanks
Re: redirect outgoing port 123 to my own ntp LAN server
There is no GUI method to achieve this.
Add the following to your /etc/config/firewall
Add the following to your /etc/config/firewall
Code: Select all
config redirect 'ntp_123'
option src 'lan'
option proto 'tcp udp'
option src_dport '123'
option dest_port '123'
option dest 'lan'
option dest_ip 'your local NTP server IP here'
option target 'DNAT'
https://lantisproject.com/downloads/gargoylebuilds for the latest releases
Please be respectful when posting. I do this in my free time on a volunteer basis.
Please be respectful when posting. I do this in my free time on a volunteer basis.
-
- Posts: 49
- Joined: Sun Jun 09, 2019 11:05 am
Re: redirect outgoing port 123 to my own ntp LAN server
Thank you so much, yes this works. Got correct time now on both my new cams
But i guess this redirects all outgoing ntp requests to my nas right?
Is there a way to only redirect specific ip's?
If i read thruw the lines, there is the "option dest_ip" for my nas ntp server.
Can i also do this with option src? like "option src_ip" and then add multiple source ip's?
like this?
Thanks!
But i guess this redirects all outgoing ntp requests to my nas right?
Is there a way to only redirect specific ip's?
If i read thruw the lines, there is the "option dest_ip" for my nas ntp server.
Can i also do this with option src? like "option src_ip" and then add multiple source ip's?
like this?
Code: Select all
config redirect 'ntp_123'
option src 'lan'
option src_ip '192.168.1.1'
option src_ip '192.168.1.2'
option proto 'tcp udp'
option src_dport '123'
option dest_port '123'
option dest 'lan'
option dest_ip '192.168.1.100'
option target 'DNAT'
Re: redirect outgoing port 123 to my own ntp LAN server
Yes, but it doesn’t support multiple IPs (except in CIDR notation).
Just specify 1 IP, and create a second rule with the other IP specified.
Bit ugly but that’s what we’ve got
Just specify 1 IP, and create a second rule with the other IP specified.
Bit ugly but that’s what we’ve got
https://lantisproject.com/downloads/gargoylebuilds for the latest releases
Please be respectful when posting. I do this in my free time on a volunteer basis.
Please be respectful when posting. I do this in my free time on a volunteer basis.
-
- Posts: 49
- Joined: Sun Jun 09, 2019 11:05 am
Re: redirect outgoing port 123 to my own ntp LAN server
I think i have created myself a little problem here,
Since i broadcast pi-hole as the only dns server on my lan which i configured in /etc/dnsmasq.conf > dhcp-option=6,"pi-hole ip adress"
All dns (ntp) requests on my lan are ofcourse handled by pi-hole. So since the router doesn't get or handle any dns requests, it ofcourse doesn't redirect any ntp requests to my nas right?
But then how did the camera's get their time synchronized when i rebooted the router after i editted /etc/config/firewall with your code?
Could it be that somehow when the r7800 boots, it runs for a few seconds without a firewall? Because only right after a router reboot the cams are getting their time immediately synchronized, so they must get through the firewall. I can repeat this also with the original /etc/config/firewall "without ntp to nas redirects" and the outcome is always the same. The camera's sync, but only right after the router reboot. If i reboot the cams on a running router, their time never get synchronized.
I guess i have to somehow let pi-hole redirect the ntp port 123 requests from my camera's to my NAS.
Well so far i have learned new things!
Since i broadcast pi-hole as the only dns server on my lan which i configured in /etc/dnsmasq.conf > dhcp-option=6,"pi-hole ip adress"
All dns (ntp) requests on my lan are ofcourse handled by pi-hole. So since the router doesn't get or handle any dns requests, it ofcourse doesn't redirect any ntp requests to my nas right?
But then how did the camera's get their time synchronized when i rebooted the router after i editted /etc/config/firewall with your code?
Could it be that somehow when the r7800 boots, it runs for a few seconds without a firewall? Because only right after a router reboot the cams are getting their time immediately synchronized, so they must get through the firewall. I can repeat this also with the original /etc/config/firewall "without ntp to nas redirects" and the outcome is always the same. The camera's sync, but only right after the router reboot. If i reboot the cams on a running router, their time never get synchronized.
I guess i have to somehow let pi-hole redirect the ntp port 123 requests from my camera's to my NAS.
Well so far i have learned new things!
Re: redirect outgoing port 123 to my own ntp LAN server
Pihole should have no impact.
Camera wants to make time update
Asks pihole for IP address of the NTP server it wants to use
Pihole responds
Camera attempts connection to IP via Router
Router enforces redirect rule and pushes the connection to your NAS.
Why it doesn’t work when rebooting cams is interesting. It is potentially due to the order of firewall rules. The block might be enforced before the redirect. Just guessing without seeing the whole iptables chains.
You could counter this by specifically allowing 123 for those devices, and then the redirect should take hold after that.
Camera wants to make time update
Asks pihole for IP address of the NTP server it wants to use
Pihole responds
Camera attempts connection to IP via Router
Router enforces redirect rule and pushes the connection to your NAS.
Why it doesn’t work when rebooting cams is interesting. It is potentially due to the order of firewall rules. The block might be enforced before the redirect. Just guessing without seeing the whole iptables chains.
You could counter this by specifically allowing 123 for those devices, and then the redirect should take hold after that.
https://lantisproject.com/downloads/gargoylebuilds for the latest releases
Please be respectful when posting. I do this in my free time on a volunteer basis.
Please be respectful when posting. I do this in my free time on a volunteer basis.
Re: redirect outgoing port 123 to my own ntp LAN server
If the cameras are using pihole for DNS to whatever NTP server they want to use, couldn't pihole be used to redirect those requests to your internal NTP server rather than the firewall level redirection?
-
- Posts: 49
- Joined: Sun Jun 09, 2019 11:05 am
Re: redirect outgoing port 123 to my own ntp LAN server
Well i tried for hours, and i can't get it to work,
this is the latest entry i did
And after a reboot it stays the same, no time sync.
Anyway, with all those ntp entry's in the /etc/config/firewall, i noticed something: When i go into the routers web interface, and when i save from within the "firewall" page, the entry's in the /etc/config/firewall are converterd to Individual Port Forwarding rules, and thus the "option src" is changed to wan. Also then they show up in the individual port forwardings list in the webinterface as normal port forwardings from wan to lan.
For now i reverted back to the old situation, so no time on the camera's.
thanks
this is the latest entry i did
Code: Select all
config redirect 'ntp_123'
option src 'lan'
option proto 'tcp'
option src_dport '123'
option dest_port '123'
option dest 'lan'
option dest_ip 'ip-nas'
option target 'DNAT'
config redirect 'ntp_123'
option src 'lan'
option proto 'udp'
option src_dport '123'
option dest_port '123'
option dest 'lan'
option dest_ip 'ip-nas'
option target 'DNAT'
Anyway, with all those ntp entry's in the /etc/config/firewall, i noticed something: When i go into the routers web interface, and when i save from within the "firewall" page, the entry's in the /etc/config/firewall are converterd to Individual Port Forwarding rules, and thus the "option src" is changed to wan. Also then they show up in the individual port forwardings list in the webinterface as normal port forwardings from wan to lan.
For now i reverted back to the old situation, so no time on the camera's.
thanks
-
- Posts: 49
- Joined: Sun Jun 09, 2019 11:05 am
Re: redirect outgoing port 123 to my own ntp LAN server
I was looking into this, but, the camera's use a whole list of ntp servers. Some windows servers too, so if i do that, i have to redirect a lot of url's. Besides that, i don't really know how i config pi-hole to do that. I've seen topics on google where users do it, but i can't figure out how.
If it is possible i rather use the router and only redirect the camera ip adresses that need it,
thanks!
-
- Posts: 49
- Joined: Sun Jun 09, 2019 11:05 am
Re: redirect outgoing port 123 to my own ntp LAN server
Ok, i've got 1 cam it's time syncronized to my nas.
I forced time sync in surveillance station with the onvif protocol. I tried that before, but it didn't work because the ntp server is open on NAS utp port 1 (that's the ip adress i use for ntp in my local lan), and blocked on NAS utp port 2
So since i setup surveillance station to use the NAS it's utp port 2, it also forced the ntp sync on port 2 which had another ip adres where the ntp server was blocked in the firewall. Anyway i now also opened port 123 on utp port 2, so i'm good with that cam without redirecting.
Now for the other cam which is a slightly other model, unfortunately it can't be forced to use surveillance station it's ntp server. Let's hope for a firmware upgrade where it does just that, then i don't need redirecting at all.
I forced time sync in surveillance station with the onvif protocol. I tried that before, but it didn't work because the ntp server is open on NAS utp port 1 (that's the ip adress i use for ntp in my local lan), and blocked on NAS utp port 2
So since i setup surveillance station to use the NAS it's utp port 2, it also forced the ntp sync on port 2 which had another ip adres where the ntp server was blocked in the firewall. Anyway i now also opened port 123 on utp port 2, so i'm good with that cam without redirecting.
Now for the other cam which is a slightly other model, unfortunately it can't be forced to use surveillance station it's ntp server. Let's hope for a firmware upgrade where it does just that, then i don't need redirecting at all.