Configuring firewall for use as NTP server

RonJohn63 · September 5, 2018, 11:35pm

Hi,

v6.24.7

I’ve installed the ntp package, and (hopefully correctly) configured the ntp server properly:

[admin@MikroTik] /system ntp server> print 
              enabled: yes
            broadcast: yes
            multicast: no
             manycast: yes
  broadcast-addresses: 192.168.1.0

.
Now I need to configure the firewall to allow systems on the LAN to see that server, so I added rule 8, which – I hope – accepts requests to udp port 123 from the 192.168.1.0 network. Nmap only shows ports 22, 80 and 2000 listening, but ntpq seems to show it’s working. Which is right?
.

$ sudo nmap 192.168.1.1

Starting Nmap 7.50 ( https://nmap.org ) at 2018-09-05 18:34 CDT
Nmap scan report for 192.168.1.1
Host is up (0.0016s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
2000/tcp open  cisco-sccp
MAC Address: 6C:3B:6B:2F:7F:5C (Routerboard.com)

Nmap done: 1 IP address (1 host up) scanned in 0.37 seconds

$ sudo ntpq -np
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 192.168.1.1     .POOL.          16 p    -   64    0    0.000    0.000   0.000
 192.168.1.1     68.0.14.76       3 u   54   64    1    0.255   -0.737   0.000

[admin@MikroTik] /ip firewall filter> print 

Flags: X - disabled, I - invalid, D - dynamic 

 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 1    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp log=no log-prefix="" 

 2    ;;; defconf: accept established,related
      chain=input action=accept connection-state=established,related log=no log-prefix="" 

 3    ;;; defconf: drop all from WAN
      chain=input action=drop tcp-flags="" in-interface=ether1 log=no log-prefix="WANDrop " 

 4    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection connection-state=established,related log=no log-prefix="" 

 5    ;;; defconf: accept established,related
      chain=forward action=accept connection-state=established,related log=no log-prefix="" 

 6    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid log=no log-prefix="" 

 7    ;;; defconf:  drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=ether1 log=yes log-prefix="not_DSTNATed" 

 8    chain=forward action=accept protocol=udp src-address=192.168.1.0 dst-address=192.168.1.1 src-port="" dst-port=123 log=no log-prefix=""

mducharme · September 5, 2018, 11:38pm

Wrong chain. Should be input chain, not forward.

Also, having the accept rule at the end after your drop all rules will not help. Traffic should not be blocked for internal NTP clients so the rule would only be useful to alllow ntp traffic that is being blocked by one of your drop rules.

Please note that RouterOS has implicit allow all at the end of the chain instead of implicit deny all.

sid5632 · September 6, 2018, 2:35pm

Assuming a /24 subnet (why do people asking these sort of questions never state important stuff like this?):

Use of source and broadcast addresses of 192.168.1.0 is completely invalid
There is no forwarding going on as it’s on the same subnet
Access from the LAN subnet to the router is open anyway, so no firewall rule is needed
Nmap as used shows TCP ports open and NTP uses UDP, so the lack of it showing up is hardly surprising

Suggest learning the basics of networking first.