NTP client

wietse8 · March 6, 2011, 11:22am

hi there,

i configured a ntp client on my rb450g. (ntp.pool.org). ntp did not update the system clock. when i add some debug logging i noticed the ntp client is trying to connect to the ntp server with my external ip address. Why is that? should’t it just use my internal ip like all my other clients do?

now i need to add a rule in my firewall to allow traffic form wan to wan…

thank you in advance..

fewi · March 6, 2011, 4:48pm

It will use the preferred IP address on the interface that faces the destination IP according to the routing table. That is the expected behavior on virtually any routing platform.

Why does that require you to edit your firewall? Ideally - for resources and sanity - your input chain rules should be stateful, and allow packets belonging to established connections back in. The output chain is rarely filtered, if it is, just permit connections to UDP/123.

wietse8 · March 6, 2011, 5:12pm

thank you for your’e reply!

i agree, it is not necessary for me to filter outgoing traffic, i did not expect it to be.

i’ll add some details as requested. thank you for looking at it!

/ip address print detail
Flags: X - disabled, I - invalid, D - dynamic
0 address=10.10.10.1/24 network=10.10.10.0 broadcast=10.10.10.255
interface=ETH-2 _WLAN actual-interface=ETH-2 _WLAN

1 address=7.7.7.1/24 network=7.7.7.0 broadcast=7.7.7.255 interface=bridge1
actual-interface=bridge1

2 D address=62.56.3.2/24 network=62.56.3.0 broadcast=62.56.3.255
interface=ETH-1 _WAN actual-interface=ETH-1 _WAN

/interface print
Flags: D - dynamic, X - disabled, R - running, S - slave

NAME TYPE MTU L2MTU

0 R ETH-1 _WAN ether 1500 1524
1 R ETH-2 _WLAN ether 1500 1524
2 R ETH-3 ether 1500 1524
3 R ETH-4 ether 1500 1524
4 R ETH-5 ether 1500 1524
5 R bridge1 bridge 1500 1524

/ip firewall export

mar/06/2011 18:07:28 by RouterOS 4.16

software id = 23TX-Q9I7

/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s
tcp-close-wait-timeout=10s tcp-established-timeout=1d
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=input comment=FW_VPN disabled=no protocol=gre
add action=accept chain=input comment=FW_VPN disabled=no dst-port=1723
protocol=tcp
add action=accept chain=input comment=FW_IPHONE_TIKBOX disabled=no
dst-address=10.10.10.1 dst-port=8728 in-interface=“!ETH-1 _WAN” protocol=
tcp
add action=accept chain=input comment=FW_IPHONE_TIKBOX disabled=no
dst-address=10.10.10.1 in-interface=“!ETH-1 _WAN” protocol=icmp
add action=accept chain=input comment=“” disabled=no dst-port=123
in-interface=“ETH-1 _WAN” protocol=udp src-port=123
add action=accept chain=input comment=FW_WINBOX disabled=no dst-address=
10.10.10.1 dst-port=8291 in-interface=“!ETH-1 _WAN” protocol=tcp
add action=accept chain=input comment=“Allow SSH to firewall " disabled=no
dst-address=10.10.10.1 dst-port=22 in-interface=”!ETH-1 _WAN" protocol=
tcp
add action=accept chain=forward comment=FW_SSH disabled=no dst-address=
7.7.7.3 dst-port=22 in-interface=“ETH-2 _WLAN” protocol=tcp
add action=accept chain=forward comment=“IPHONE MPD CLIENT MPOD " disabled=no
dst-port=6600 out-interface=bridge1 protocol=tcp
add action=drop chain=forward comment=FW_BLOCK_FORWARD disabled=yes
out-interface=bridge1
add action=drop chain=input comment=FW_BLOCK_ALL_INPUT disabled=no
/ip firewall nat
add action=masquerade chain=srcnat comment=”" disabled=no out-interface=
“ETH-1 _WAN”
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no

fewi · March 6, 2011, 5:27pm

Add this at the top of the input chain firewall filters:

/ip firewall filter
add chain=input connection-state=established action=accept 
add chain=input connection-state=related action=accept 
add chain=input connection-state=invalid action=drop

Now the router will accept packets that are part of connections it started. When it queries the NTP server, the reply will be permitted. The NTP server sending it something out of nowhere will be blocked.

This will also make the rest of your rules more efficient since the vast majority of all packets will be covered by the first rule, only the first (or first three for TCP) packet(s) of each connection have to traverse the entire rule set.

Those would also make sense for your forward chain. Just replace the chain name, move to the top.

wietse8 · March 6, 2011, 8:26pm

thank you so much for you’re time to explain!